Slashdot Mirror
Websites Still Failing Basic Privacy Practices
DigitAl56K writes "Large companies still can't seem to get the basics of privacy and security on the Web pulled together. Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form. It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST. The ultimate irony is the message at the bottom of the page that reads: 'Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect.' Which websites have you found to be lacking in their basic privacy practices?"
That's not at all the birthday paradox.
It probably wasn't really their website you were entering your details into anyway...
Nullius in verba
It's also a little harder for an observer to collect millions of records from junk mail than it is to sniff at a router and log all the traffic automatically.
Riiight - because people can easily sniff traffic at an ADSL DSLAM, wait no, at the L2TP router, wait not even there, oh - at the upstream to a Tier 1 ISP, no, not their either... So where exactly is someone going to sniff your data?
Oh, you're talking about someone on your LAN or Wifi access point? Well then, you have bigger issues!
Even if you're stuck on a cable node, most of the equipment I've seen filter other peoples data out via MAC of the cable modem - so you can't even sniff there...
This being said, where would the so-called 'privacy breech' sniffing take place?
Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
Well i went to the site and changed http to https, and it brought up the page on an encrypted connection. looks like they aren't forcing you to submit it in the open after all.
All misspellings and grammatical errors in the above post are intentional and part of my artistic expression.
I stopped providing security on my websites when browsers made it too difficult for the average user (that I deal with) to continue using the site with a self signed certificate.
Sure, it won't help against a man in the middle attack. But that is truly the only attack that using self signed certificates is vulnerable to. Unlike completely unencrypted content.
If godaddy, verisign etc. didn't charge insane prices like £107 per year for a wildcard certificate for one domain, I would do actually buy the certificates needed. I already find 10USD too much for a wildcard certificate for the numerous domains I operate, so it would have to be quite a significant drop. It's not like they do any verification with the £107 certificates, they just want a credit card number.
Change is certain; progress is not obligatory.
I don't challenge your thesis, but your example stinks. First of all, the biggest problem as far as privacy is concerned is the database being sold to other companies. The next biggest problem is the database being outright stolen by crackers. Sniffing your POST as it goes across the wire is the least of your worries.
Second, it's just not reasonable to call https standard privacy practice in this case. Standard security practice is to use SSL for "sensitive" information. But it's not standard to consider name, birthdate and address sensitive. You can argue that it should be, but don't try to redefine reality by calling something standard that's not.