Slashdot Mirror
Websites Still Failing Basic Privacy Practices
DigitAl56K writes "Large companies still can't seem to get the basics of privacy and security on the Web pulled together. Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form. It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST. The ultimate irony is the message at the bottom of the page that reads: 'Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect.' Which websites have you found to be lacking in their basic privacy practices?"
That Firefox saves the nasty warnings for Web sites that are encrypted!
HTTP is sent unencrypted, but it's not that easy for a random person who wants to steal your address to be on the correct subnet at exactly the right time to sniff it. Also, address and date of birth aren't usually considered confidential, even if you might not want to publish them.
This isn't a lot different than many of those post-card questionnaires many people fill out and mail in.
I think in this case, it's more important what they do with the information once they receive it.
That said, I think there should be default encryption wherever possible automatically.
That level of privacy is not considered important by anybody. Seriously.
Credit Card data - encrypted; you're first and last name? short of being in the witness protection program it is NOT considered a privacy issue. sorry.
(I know, I know, it would be nice if it was).
Whitehouse.com seems to have no regard for the security of web visitors.
"XXXXX is committed to maintaining your trust by protecting personal information we collect."
Means nothing when every website harvesting your info says that.
A few years ago I was buying a state tax program and realized that their form that asked for all my private data was an http page! I was shocked. Then I added "s" after http and it happily connected me over SSL. How many people who buy Taxcut will check the protocol and change it?
"Flash Player of 7 or above is required" on a blank page.
so just stick an s after the http and you're golden.
unsure if that makes it better or worse for them though.
It's hard to believe that they are "committed to maintaining your trust by protecting personal information" when they disavow any responsibility if it's stolen. But I think that's pretty standard boilerblate.
Many, many people that I've tried to talk to about this very thing completely don't understand encryption at the most basic level - why it matters or if they have it. My guess from past experience is that if you tried to talk to P&G about it, the people responsible would try to tell you that it didn't need encryption, because the site is on *their* servers, so the data only goes on their network, and no amount of convincing would get them to think otherwise. The site you mentioned was probably farmed out anyways.
The state of affairs when it comes to the most basic data protection is really sad. One case was where I was applying for a job which required my SSN (a federal gov't position). The instructions were to download the form and email it. I called the number listed and explained why I wasn't going to include my SSN in an email, and they weren't mad, but they were annoyed. So you tell me a) did they wait for my app and trash it because I put "withheld for security reasons, will provide offline" (something like that) b) if the folks running the federal jobs website think it is okay to email around sensitive information (this was another one of those "your email is stored in our secure servers" things), then it must be okay, right?
Even in the physical realm, things aren't much better. A couple of months ago, I called a local business to complain that they'd charged my creditcard a fee for canceling an appointment. (The number shouldn't be on file, I know. At the time I didn't realize that it was.) I explained to the person that when I canceled the appointment I was aware of the fee, but to send me a bill for it and I'd pay it when I got the bill. They sent me an invoice in the mail, with the charges and showing the balance was paid. I asked the guy which credit card they'd charged - and he proceeded to read off the type, entire number, and expiration date - without any authentication from me except my name and one other non-secret item, derived from the start of the conversation. I've since canceled that card, but people really don't understand.
There is very little future in being right when your boss is wrong.
Great example of poor coding and carelessness...VegNews.com
Trying to register for a launch party at VegNews I come across this (from google site cache)
google site cache of insecure page
Problems
1. No SSL, ssl not supported if you change the URL manually.
2. Lies about being secure, right there on the form. Nope.
3. The "action" points to an email *FormMailer* (http://vegnews.com/cgi-bin/SaveForm.pl).
So, not only does it lie about encrypting your credit card, it goes and emails it out afterward to who-knows-where to sit in personal archives for who-knows-how-long.
Suffice to say I didn't attend, but I'm still pissed I almost fell victim to that.
Honestly, your date of birth, age, address, full name is worth absolutely nothing to the average person. Secondly, how many people actually run packet sniffers for malicious purposes? Not that many, then take that number and see how many really care about your address and name? Few, very few. Now, if this contained our social security number, we might be worried, but for this? It is making a mountain out of a molehill.
Taxation is legalized theft, no more, no less.
All they have to do is force all http requests to go to https and presto, its done.
Expecting the user to manually add an 's' after http isn't very good or safe, IMO.
slashdot rocks
It probably wasn't really their website you were entering your details into anyway...
Nullius in verba
I put in some fake credentials to test it out, but unfortunately the email address asdf@asfd.com was already in use...
How can they maintain something they'll never have?
What?
One time I went to buy a night vision scope from a website. After filling out all of the shipping/billing information except for the credit card information itself, I noticed that it wasn't a secure submittal form. I immediately....
Accidentally hit the enter key, for which my incomplete order was submitted, no confirmation or anything.
a month later a strange box showed up C.O.D. It was the night vision.
"Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect."
Corporations, especially North American ones, tell great, honking lies all the time and get away with it. The business media are their whores, and what private individual has the time and/or money to challenge them?
A large corporation might actually tell the truth if a lawyer told them it was the most profitable course of action. Otherwise, believing one word uttered by a corporate spokesdrone, earns you the richly deserved reaming you're going to get. Mostly, these people would have to climb three steps up the evolutionary ladder just to qualify as douche bags.
Who was it that invented the phrase, "Your call is important to us"?
I've calculated my velocity with such exquisite precision that I have no idea where I am.
In "completely unsurprising news", the Washington Post just announced that "More data breaches have been reported so far this year than in all of 2007..." Hmm, I wonder if the subject of this page could have had something to do with those breaches... http://www.washingtonpost.com/wp-dyn/content/article/2008/08/25/AR2008082502496.html?nav=rss_email/components
"It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST"
If I wanted a list of names, birth dates and addresses to use for nefarious purposes I don't need to steal yours from some dinky website or sniff packets. I'd just take one of the plentiful lists of birth records on the internet like this one then cross reference it with property tax records of the area which are more plentiful than the birth records and it'll give probable name, dob, and address combinations. A good portion of probable matches can be confirmed through freely available court records. All of that data is fairly trivial to collect in bulk (i used to collect databases, was a pretty fun hobby actually), is perfectly legal and will provide a much better profile of matches than just name/dob/addr combinations stolen from a website or data stream.
Being that anal about your name, birth date and address is actually quite silly. Theres so much low hanging fruit as far as collecting that type of data is concerned (and you're probably already included in it) that all you really did by not continuing with that form was taking yourself out of the running for a Wii.
The best thing you can really do is just keep close tabs on your credit report and get signed up for all the fraud alerts or freezes they offer. Thats the best place to prevent and quickly repair most identity theft. Stop being so anal about info thats almost guaranteed to be out there already, set up your defenses where they're most effective and go get your Wii.
I stopped providing security on my websites when browsers made it too difficult for the average user (that I deal with) to continue using the site with a self signed certificate.
Sure, it won't help against a man in the middle attack. But that is truly the only attack that using self signed certificates is vulnerable to. Unlike completely unencrypted content.
If godaddy, verisign etc. didn't charge insane prices like £107 per year for a wildcard certificate for one domain, I would do actually buy the certificates needed. I already find 10USD too much for a wildcard certificate for the numerous domains I operate, so it would have to be quite a significant drop. It's not like they do any verification with the £107 certificates, they just want a credit card number.
Change is certain; progress is not obligatory.
"You don't think a name, address, DOB, and password all going plaintext is troublesome? How many people use the same password for half a dozen websites? How many password recovery systems use address or DOB?"
1. The form did not/does not require a password.
2. No password recovery systems I've seen in the last 10 years use either your address or DOB as the key. That information is too readily available in the public records...like the phone book. (If you disagree please point out a site/system that does use it).
3. You're worried about the privacy of your address and yet you're signing up for a contest that collects your name for marketing purposes...
4. P&G clearly states they use SSL for sensitive information and they clearly state what they believe sensitive information to be: "When we collect or transmit sensitive information such as a credit card number or health information, we use Secure Sockets Layer (SSL) encryption for added protection. Your browser indicates that SSL is in place by displaying either an unbroken key or a closed lock at the bottom of your browser window." http://www.pg.com/privacy/english/privacy_statement.html#tab2
I will perform a MitM attack and just intercept all HTTP requests and have it query the HTTPS URL while I read all their data unencrypted.
Change is certain; progress is not obligatory.
Phone book. Names, phone numbers addresses, all public. get over it!
I work at a college in IT and students don't think twice about raveling off stuff that's even considered private.
My dad sells cars, he brought me with because there's public data available at the county recorders office, I walked out of there with my dad after emailing some 34,000 names, addresses and phone numbers to my dad's email account for his silly mailers. All 100% legal.
So in short, nothing to see here, move along...
They stopped this practice recently, but for over a year, my student loan company required me to sign up for monthly paperless statements if I wanted to pay electronically. The statements were e-mailed in the form of a PDF attachment. The e-mail body assured me my privacy was intact because the file was password protected -- by my Social Security number!
Brilliant! If an interloper intercepted my e-mail, not only could he brute force my password with easy to find, easy to use tools (in a matter of minutes, since he knows the number of characters in it), but he'd know my SSN once he cracked it. I would have been better off with no password protection.
When I e-mailed Sallie Mae with the above information, the representative brushed it off. It was safe, he said, as long as I opened it on a non-public computer, because my SSN was not being sent over the Internet when I typed it in.
(The Consumerist didn't find it interesting, either.)
That is a remarkable site. What style, what innovative use of Frontpage. I especially like the inclusion of the HEAD section inside the form. Classy. Keep it real, TicketWizard5000! The clever use of submit buttons on a form rather than links must improve their site security considerably.
Help stamp out iliturcy.
What about slashdot? Strangely there is no https://slashdot.org/login.pl, even though here is a https://slashdot.org/my/logout. You can logout with SSL, you just can't log in with it.
There is no way I would enter that contest, the mom playing wii in TFA is showing zero cleavage.
When the iPhone was scheduled for release in Australia, Optus (Arguably the second largest carrier in Australia) launched a dedicated website where potential customers could pay a $100 deposit to register their interest in the iPhone. You were prompted to complete a form, including providing Optus with your credit card to make pay the deposit. I shit you not, the form *wasn't* encrypted. To this day, I wonder how many clueless individuals actually completed the form? The offer finished a few days after I first noticed it.
...to mention is that the whole point of a lot of those online forms (such as competitions etc) is to provide an opt-in to any kind of marketing dreck the the site owner (or any of his mates) cares to send you.
The best way to keep your personal information private is to not hand it out. I know that should be obvious, but the fact seems to escape people when they appear to be being offered free ponies (or whatever).
To be fair, they did close the right before the , so at least it nests properly.
There's this thing called a "phone book", which displays the names, addresses, and phone numbers of everyone in the region. and it gets delivered to me via an unencrypted, minimum wage, paperboy! it's not even sealed when I get it! now, think of all the damage he could cause if he looked in one of these, and stole everyone's personal data! I really wish that they would start encrypting the phone book with an impossible-to-break cypher. Like rot13. that would get him.
01110000 01010111 01101110 00110011 01100100
ssl secure ?, how ?
If i self sign ssl firefox will claim that the site is really really evil and get the dreaded are you sure routine, ie users might get a warning too that this is not the best ssl that somebody sells and ie can use i read.
Why is ssl from verisign/others 'AUTOMATICALLY SAFE' im quite sure verisign and others would be happy to give up the secure information to the governments for interception if push came to shove and they where denied the right to sell in x country.
â¦every grandmother out there can do that. They all know exactly where it is and how to set the bit.
Don't take personally, robo_mojo. Since the article is about overall web security, it just struck me as funny that the suggestion (a kind often made by the /. readership) is one of those types that the vast majority of the population would find a worthless because it is a technical response.
Duracell? I just bought a wii last night, and it came with panasonic batteries for the wiimote.
is a great solution (Windows, OS X, Linux, *BSD, Solaris, etc). Once you've started the daemon, it's available everywhere you go, transparently. Just proxy your web surfing, mail access through the VPN server.
(Of course in the FA's example, it only encrypts half of the transmission - to your proxy - but it's these edge networks that are generally most vulnerable - home wireless, Starbucks, random offices, hotels, airports and local ISPs. That said, never forget the NSA is listening on core networks.)
you had me at #!
Beween 1999 and 2001 I worked at a local Washington, DC ISP, and I was impressed with the number of sites we hosted that carefully encrypted their customers' credit card information as it traveled to our server racks, then delivered it to the site operators by plaintext email to an AOL account.
Sure, times have changed, but short of auditing the offices of your favorite e-commerce sites, how do you know what they do with your data after you carefully check that all their forms submit with "https://"?
...Cliff Stoll recognised the thing we're struggling with here. They didn't have a name for it then, but now we call it data mining.
The problem is that your name, address, and birthday aren't that important to keep secret by themselves. Uniquely identifying you with that information isn't a big deal in isolation either, but using that identity to cross reference you as the person who entered this contest with something else you've done allows people to draw connections in your behaviour. It used to be that connecting the dots involved hours of research, footwork, and digging through stacks in the library. Now it's available online, and can be sorted and filtered.
It's a personal version of "sensitive but unclassified" information.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
nabble.com has this little treat: http://www.nabble.com/help/Answer.jtp?id=25 I wonder if they realize that the average user has a "standard" password they use everywhere. If so, then they are knowingly phishing. If not, they're morons. As you might imagine, I decided not to use my "standard" password when registering on their site. Am I going to remember it the next time I log in? Probably not. Oh well.
Monster.com - They even have those annoying requests for information that have asked for SSN before! Of course, nothing (not even login) is https. They've recently forced stricter passwords to increase security, but they didn't seem interested when I pointed out they should use ssl to improve login security. The rep I spoke with says, of course it's secure! When you type in your password it shows stars instead of the password.
I'll see your pity post, and I'll raise you:
Post detailing the find (in dutch)
Actual site (also in dutch)
So, this article is really not too interesting. You'll find I'm a huge advocate of making the public more aware of social engineering in general, but seriously, if a social engineer wanted that info from someone, he wouldn't bother with a sniffer. He'd just ask for it. Anyhow, the article may be dissapointing, but the topic is GREAT :). I did want to point out that cisco until recently had the student portal logon in plaintext. A few years back, in College, us students would sniff eachother's cisco logon passwords, and... well... brag about it, because there was nothing there to really steal. But it's still interesting that Cisco of all companies did not encrpyt this bit.
I was going to register to vote via the Rock the Vote website, until I discovered that the page wasn't encrypted, and asked for my name, address, driver's license OR last 4 of my social security #, etc. I'll be doing this registration in person. No sense in letting multiple hands have the opportunity of losing my data, just the State of Connecticut...
"I never did give anybody hell; I just told them the truth, and they thought it was hell." - Harry S. Truman
This misses an important point. T-Mobile, a major European mobile phone operator, are - like everyone - passionate about looking after your security and so your connection, password is all https secured. However the password you use to login as a customer is available in clear text to all their employees. When you go to one of their shops with an inquiry they ask you for your password which, on a busy shopping day, means sharing it alound with 20+ other punters. Luckily (and deliberately) my password for their service was "Mind your own fucking business" - sothere was a moment of semantic disambiguation required after I had replied to the shop assistant's polite, but loud, request. Online web services should be obliged to declare *how* they manage your personal data - a secure pipe isn't enough if all the personal data is floating around in a near-public barrel at the other end.