Not everyone was happy with the introduction of LinkedIn’s new feature “LinkedIn Intro,” which displays LinkedIn profiles of the people sending you emails directly in your iPhone email app.
Some blogs criticized Intro for being intrusive and clunky. But more importantly, with recent reports of LinkedIn’s compromised security, some said it would just be plain dangerous to trust the company with your emails.
Writing in Valleywag, Sam Biddle said,
A new LinkedIn feature called “Intro” promises to put user profiles directly inside your emails, something that’s never been possible before, because Apple specifically blocks this kind of visual bullshit. Why you’d ever want graphical profiles of college acquaintances and former bosses placed directly inside your emails, I don’t know—but maybe this will appeal to some, and to those power-users, God bless. For the rest of us, Intro should be avoided—not just because it’s obnoxious, but because it’s dangerous.
Biddle also quoted a blog post by internet security security expert Bishop Fox which claims that LinkedIn basically hacks into your iPhone email.
Intro reconfigures your iOS device (e.g. iPhone, iPad) so that all of your emails go through LinkedIn’s servers. You read that right. Once you install the Intro app, all of your emails, both sent and received, are transmitted via LinkedIn’s servers.
“But that sounds like a man-in-the-middle attack!” I hear you cry. Yes. Yes it does. Because it is. That’s exactly what it is. And this is a bad thing. If your employees are checking their company email, it’s an especially bad thing.
Yesterday, LinkedIn officially responded to the concerns (and the Bishop Fox post in particular) about Intro with a statement on its blog titled “The Facts about LinkedIn Intro”, with most of the post devoted to refuting claims of LinkedIn’s iffy security.
When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible. We explored numerous threat models and constantly challenged each other to consider possible threat scenarios.
The post then goes on to list several measure LinkedIn took to make sure the email feature was secure, here are some of the key ones:
– All communications use SSL/TLS at each point of the email flow between the device, LinkedIn Intro, and the third-party mail system. When mail flows through the LinkedIn Intro service, we make sure we never persist the mail contents to our systems in an unencrypted form. And once the user has retrieved the mail, the encrypted content is deleted from our systems.
– We worked to help ensure that the impact of the iOS profile is not obtrusive to the member. It’s important to note that we simply add an email account that communicates with Intro. The profile also sets up a certificate to communicate with the Intro web endpoint through a web shortcut on the device. We do not change the device’s security profile in the manner described in a blog post that was authored by security firm Bishop Fox on Thursday.
LinkedIn’s strategy to nip this concern in the bud shows how bruised it is from password hacking incident, and it is not going to take accusations of being weak on security lightly. As the platform becomes more and more like Facebook, expect to see the same Facebook-esque battles over privacy concerns for LinkedIn.