Facebook, Twitter, and WordPress have failed a security exam conducted by "security think tank" Digital Society, highlighting old vulnerabilities most recently displayed by the spread of Firesheep.
Gmail and WordPress, which use an encryption and identification process known as SSL, received A's. Google scored a C, Yahoo and Amazon received a C-, and Hotmail and Flickr received a D-.
The main reason Twitter and Facebook failed is because neither uses complete SSL authentication, according to the report. In other words, a user can't know for sure if the authentication page they think they're visiting is actually HTTP. WordPress without SSL, the free version commonly used by personal bloggers, also lacked SSL authentication for logins.
A Facebook spokesman said the company has "been making progress testing SSL access across Facebook and hope to provide it as an option in the coming months."
The report, however, "fails to include many important security metrics that place Facebook as a leader in this industry and doesn't even mention many of the unique security features we offer to make accounts more secure such as login notification, remote session management, one-time passwords and internal spam prevention systems," Facebook continued.
George Ou, a policy director at Digital Society and author of the report card, said "the vulnerability and easy exploitation [of] online services have been well known since 2007, [but] the lack of mainstream tech media coverage has allowed the online industry to sweep the problem under the rug for the past 3 years."
In January,Google announcedthat it would encrypt Gmail at all times, not just during sign-on, and make the process an opt-out feature rather than opt-in, likely contributing to its A grade.
Microsoft, meanwhile,told Outhat it will default its Hotmail to SSL browsing this month.
Ou promised to create an online service report card that will be upated over time. For more details, see hisfull report.
"Yahoo is committed to protecting user security and privacy," a spokeswoman said in a statement. "Online communication theft is an industry-wide challenge and we are constantly working on ways to identify and mitigate the threats posed by others while protecting our users. Yahoo recommends all users exercise caution when sending private data or communications via an unsecure network. Yahoo is also committed to helping educate users about how they can protect themselves online."
"We take security seriously but we don't have a comment on the report card," a Twitter spokeswoman said in an e-mail.
WordPress did not respond to a request for comment.
Last week a Firefox add-on,Firesheep, began circulating the Web. It allowed any novice computer user to hijack user accounts through Wi-Fi.