LinkedIn has addressed accusations and assertions about its launch of Intro on Wednesday last week.
In an official blog post, the professional social network clarified and shared more details about LinkedIn Intro, its security in particular.
Since the introduction of Intro, speculations have been made about its implementation that LinkedIn’s Cory Scott had to blog about the “inaccuracies” and “misperceptions.”
Scott wrote that the LinkedIn Security team initially started with a core design for Intro, wherein they developed what they considered the most secure implementation possible.
Scott added that the team investigated several security threat models and even issued a challenge against each other to study scenarios of potential threats.
LinkedIn’s product design decisions and succeeding implementation are reexamined against the policies created by the company’s Security and Legal teams.
Nonetheless, Scott said the LinkedIn Security team encourages people to contribute to an open discussion about threats in online services that deal with email and sensitive data.
Facts About LinkedIn Intro Security
1. LinkedIn Security team isolated Intro in a discrete network segment and enforced a security line throughout trust boundaries.
2. The security team reinforced its external and internal services, and cut exposure to third-party monitoring and tracking services.
3. iSEC Partners, an esteemed security consultancy, did a detailed review of the codes for mail parsing or insertion and credential management.
4. In-house testers tried various penetrations against the final implementation, with the LinkedIn Security team working closely with the Intro team to determine and address all vulnerabilities.
5. The security team ensured proper monitoring to spot potential attacks, react promptly, and reduce exposure right away.
6. All communication channels use SSL/TLS at each point of entry for emails between LinkedIn Intro, the third-party mail system, and the device itself.
Scott said the team never allows mail contents to enter their system unencrypted when the mail flows through LinkedIn Intro, and deletes the encrypted content from its systems after the user has retrieved the email.
7. The security team ensured the effect of the iOS profile is unobtrusive to the member or user.
Scott said it is vital to note that the team only adds an email account that communicates with Intro, and the profile uses a certificate to communicate with the Intro Web end via a Web shortcut on the device.
Scott opposed a blog post written by security firm Bishop Fox on Thursday that the team will change the device’s security profile in a different manner.