Slashdot Mirror
Websites Still Failing Basic Privacy Practices
DigitAl56K writes "Large companies still can't seem to get the basics of privacy and security on the Web pulled together. Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form. It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST. The ultimate irony is the message at the bottom of the page that reads: 'Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect.' Which websites have you found to be lacking in their basic privacy practices?"
It's hard to believe that they are "committed to maintaining your trust by protecting personal information" when they disavow any responsibility if it's stolen. But I think that's pretty standard boilerblate.
That's not at all the birthday paradox.
It probably wasn't really their website you were entering your details into anyway...
Nullius in verba
It's also a little harder for an observer to collect millions of records from junk mail than it is to sniff at a router and log all the traffic automatically.
Riiight - because people can easily sniff traffic at an ADSL DSLAM, wait no, at the L2TP router, wait not even there, oh - at the upstream to a Tier 1 ISP, no, not their either... So where exactly is someone going to sniff your data?
Oh, you're talking about someone on your LAN or Wifi access point? Well then, you have bigger issues!
Even if you're stuck on a cable node, most of the equipment I've seen filter other peoples data out via MAC of the cable modem - so you can't even sniff there...
This being said, where would the so-called 'privacy breech' sniffing take place?
Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
Well i went to the site and changed http to https, and it brought up the page on an encrypted connection. looks like they aren't forcing you to submit it in the open after all.
All misspellings and grammatical errors in the above post are intentional and part of my artistic expression.
I think they're trying to point out that it's a problem if anyone gets anyone else's data, rather than anyone getting a particular person's data (namely your own). This seems fairly similar to the Birthday Paradox.
http://en.wikipedia.org/wiki/Birthday_paradox#Same_birthday_as_you
Ask me about repetitive DNA
I stopped providing security on my websites when browsers made it too difficult for the average user (that I deal with) to continue using the site with a self signed certificate.
Sure, it won't help against a man in the middle attack. But that is truly the only attack that using self signed certificates is vulnerable to. Unlike completely unencrypted content.
If godaddy, verisign etc. didn't charge insane prices like £107 per year for a wildcard certificate for one domain, I would do actually buy the certificates needed. I already find 10USD too much for a wildcard certificate for the numerous domains I operate, so it would have to be quite a significant drop. It's not like they do any verification with the £107 certificates, they just want a credit card number.
Change is certain; progress is not obligatory.
I don't challenge your thesis, but your example stinks. First of all, the biggest problem as far as privacy is concerned is the database being sold to other companies. The next biggest problem is the database being outright stolen by crackers. Sniffing your POST as it goes across the wire is the least of your worries.
Second, it's just not reasonable to call https standard privacy practice in this case. Standard security practice is to use SSL for "sensitive" information. But it's not standard to consider name, birthdate and address sensitive. You can argue that it should be, but don't try to redefine reality by calling something standard that's not.
"You don't think a name, address, DOB, and password all going plaintext is troublesome? How many people use the same password for half a dozen websites? How many password recovery systems use address or DOB?"
1. The form did not/does not require a password.
2. No password recovery systems I've seen in the last 10 years use either your address or DOB as the key. That information is too readily available in the public records...like the phone book. (If you disagree please point out a site/system that does use it).
3. You're worried about the privacy of your address and yet you're signing up for a contest that collects your name for marketing purposes...
4. P&G clearly states they use SSL for sensitive information and they clearly state what they believe sensitive information to be: "When we collect or transmit sensitive information such as a credit card number or health information, we use Secure Sockets Layer (SSL) encryption for added protection. Your browser indicates that SSL is in place by displaying either an unbroken key or a closed lock at the bottom of your browser window." http://www.pg.com/privacy/english/privacy_statement.html#tab2
Afraid I don't understand actually.
OK, the merchant shouldn't have your card # on file.
But wait, actually, according to my understanding of current PCI rules, they can have it on file, so long as it's secure from hacking. Not fraud, hacking.
Fraud = an employee steals the number or is fooled into giving it away.
Hacking = IT security breach causes the loss.
So if they wrote it on a piece of paper and put it in a file drawer, it's fine.
If it's in electronic format, that's something they have to prove is secure - or, assuming they're a minor merchant, they have to claim is secure.
Now, we all know how easy it is to fool someone into giving you the card number, but once again, that would be fraud, and is not really covered by the PCI standard afaik.
The preferred solution is to not have a problem.
And a valid signed cert, if the site owner doesn't want his users getting annoying warnings...
It's not hypothetical. SallieMae has sent that email to the wrong person, and it did prove to be easy to crack. In fact, your post sounds an awful lot like... http://www.ownrecognizance.com/salliemae.html
They stopped this practice recently
Do you have any details? I'd like to see their announcement of the change.
He surely means in the case the form action explicitly lists http; changing the protocol of the referring page doesn't accomplish anything.
is a great solution (Windows, OS X, Linux, *BSD, Solaris, etc). Once you've started the daemon, it's available everywhere you go, transparently. Just proxy your web surfing, mail access through the VPN server.
(Of course in the FA's example, it only encrypts half of the transmission - to your proxy - but it's these edge networks that are generally most vulnerable - home wireless, Starbucks, random offices, hotels, airports and local ISPs. That said, never forget the NSA is listening on core networks.)
you had me at #!
a few things. first, the cert has nothing to do with the encryption. the cert isn't a security tihng, it's a third-party vouching system. if you trust the company in the first place, the cert does nothing for you anymore.
as for the actual encryption, if you indeed believe that someone may be intentionally intercepting your transmissions, then yes the encryption is important when transmitting your credit card information. But it's purely a transmission thing. the https encryption only solves someone intercepting packets during transit.
but on the other end, the company has your card information in plain text. you have no control over what they do with it, nor who gets to see it. that's just you trusting them. but you're not just trusting them, you're trusting everyone with physicall access their systems -- like their janitors, and the punk who repairs their chairs.
but in truth, really none of it matters at all because if you're using a major credit card, you aren't responsible for fraudulent charges. they can steal your card, use it a million times, you get the statement, refuse to pay it, and your credit card company deals with the problem. All of the steps that you can take to lessen the risk of credit card theft do absolutely nothing for you -- they just help your credit card company by sparing them the trouble. It was never your problem. That's the benefit of a credit card over interac.
it's funny, all of those horrible credit card anti-fraud things are marketted as though they are features for you, they aren't. they're annoying and aggrevating, and make it more difficult to use the card -- but they save the credit card company time and money. "keeping your card number safe", it was never my card number, it's their card number leslie.