Security of the Proposed Online Social Network
Trust Model of the Proposed Online Social Network
The following table compares the trust relationships of the proposed online social network with conventional online social networks and other alternative architectures proposed by different scholars. A "Yes" means that the online social network architecture trusts the given entity when it comes to security and privacy of users, and a "No" is the opposite of the same fact. Some conventional online social networks provide some adjustable privacy controls for users. However, the users must adjust their privacy settings to get the desired level of security and privacy. Based on users' preferences or knowledge about such controls, the level of trust placed on external entities can vary from user to user. Therefore, such scenarios are represented with a "Yes and No". In conventional online social networks, the indexing service provider and the data storage provider are the same, i.e. the social network operator, and by default the social network operator is a trusted entity in conventional online social networks. Other proposed alternative online social network architectures have not discussed providing an index service to search and add new friends.
| Architecture | Friends | External Entities | Non-friend Users | Indexing Service Provider | Data Storage Provider(s) |
|---|---|---|---|---|---|
| Conventional online social networks | Yes | Yes & No | Yes & No | Yes, represents the social network operator | Yes, represents the social network operator |
| Anderson et al. | Yes | No | No | Unknown | No |
| Shakimov et al. - Vis-à-Vis | Yes | No | No | Unknown | Yes |
| Baden et al. - Persona | Yes | No | No | Unknown | No |
| Cutillo et al. - Safebook | Yes | No | No | Unknown | Yes |
| Seong et al. - PrPl | Yes | No | No | Unknown | Yes |
| Jahid et al. - DECENT | Yes | No | No | Unknown | No |
| Buchegger et al. - PeerSoN | Yes | No | No | Unknown | Yes |
| Aiello and Ruffo - LotusNet | Yes | No | No | Unknown | No |
| Nilizadeh et al. - Cachet | Yes | No | No | Unknown | No |
| Proposed Architecture | Yes | No | No | No | No |
Security in Different Functionalities
ITU-T, in their X.800 standard, has defined fourteen security services under five categories. The table below shows how different functionalities adhere to these security services in the proposed online social network architecture. In this table, when a security service is not applicable to a particular functionality, it is mentioned as “N/A”. The security services that are not listed in this table are not relevant to all the functionalities. In other words, only the security services that have a relevance to at least one of the functionalities are shown in the table.
| Functionality | Access Control | Connectionless Confidentiality | Data-origin Authentication | Peer Entity Authentication | Connectionless Integrity | Nonrepudiation, Origin |
|---|---|---|---|---|---|---|
| User registration | ✔ | N/A | N/A | ✔ | N/A | ✔ |
| Creating a user profile | ✔ | ✔ | N/A | ✔ | N/A | ✔ |
| Accessing and updating a user profile | ✔ | N/A | N/A | ✔ | N/A | ✔ |
| Deleting a user profile | ✔ | N/A | N/A | ✔ | N/A | ✔ |
| Adding friends and contacts to the network | N/A | ✔ | ✔ | N/A | ✔ | ✔ |
| Removing friends and contacts from the network | ✔ | N/A | N/A | ✔ | N/A | ✔ |
| Accessing friends' profiles | ✔ | ✔ | ✔ | ✔ | N/A | N/A |
| Sharing information and content | ✔ | ✔ | N/A | ✔ | N/A | ✔ |
| Wall posting | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Messaging | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Security Against Identified Attacks
Cutillo et al. (Cutillo et al. 2010) present a spectrum of attacks that are common in OSN environments and their malicious intentions. Resiliency of the proposed online social network against these attacks is summarized in the table below.
| Attack | Vulnerability |
|---|---|
| Plain impersonation | Vulnerable. |
| Profile cloning | Safe. |
| Profile porting | Vulnerable. |
| Profile hijacking | Safe. |
| Profiling | Safe. Such an attack is only possible at the level of the user's public profile. |
| Secondary data collection | Less vulnerable due to immunity against profiling. |
| Fake requests | Vulnerable. |
| Crawling and harvesting | Safe, and only vulnerable up to users' public profiles. |
| Image retrieval and analysis | Safe. |
| Communication tracking | Safe, and only vulnerable to the extent of leakage of information to CDCs, pertaining to how frequent the communications are. |
| Fake profiles and Sybil attacks | Vulnerable. |
| Ballot stuffing | Safe. |
| Defamation | Safe. |
| Censorship | No censorship at an social network operator level. Censorship is still possible at group levels by group moderators. |
| Collusion attacks | Safe. However, a successful DoS attack to the Advertiser can block adding new friends. |
Known Cloud Security Risks
Stallings and Brown (Stallings and Brown, 2011) have provided a list of known technical security risks in cloud computing environments. These security risks are listed below. However, it is important to note that the proposed architecture that relies on cloud datacenters to store user profiles, is still resilient against all these security risks.
- Abuse and nefarious use of cloud computing
- Insecure interfaces and APIs
- Malicious insiders
- Shared technology issues
- Data loss or leakage
- Account or service hijacking
- Unknown risk profile