Slashdot Mirror

← Back to Stories (view on slashdot.org)

Websites Still Failing Basic Privacy Practices

Posted by kdawson on from the after-all-these-years dept.

DigitAl56K writes "Large companies still can't seem to get the basics of privacy and security on the Web pulled together. Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form. It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST. The ultimate irony is the message at the bottom of the page that reads: 'Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect.' Which websites have you found to be lacking in their basic privacy practices?"

38 of 205 comments (clear)

  1. It's a good thing by XanC · · Score: 5, Insightful

    That Firefox saves the nasty warnings for Web sites that are encrypted!

    1. Re:It's a good thing by stfvon007 · · Score: 5, Informative

      Well i went to the site and changed http to https, and it brought up the page on an encrypted connection. looks like they aren't forcing you to submit it in the open after all.

      --
      All misspellings and grammatical errors in the above post are intentional and part of my artistic expression.
    2. Re:It's a good thing by palegray.net · · Score: 3, Insightful

      While the responsibility does lie with the consumer to take appropriate technical measures to safeguard his personal information, is it too much to ask for a company to make SSL the default when submitting information?

      It only takes adding an "s" in the form element...

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
  2. but realistically by Anonymous Coward · · Score: 5, Insightful

    HTTP is sent unencrypted, but it's not that easy for a random person who wants to steal your address to be on the correct subnet at exactly the right time to sniff it. Also, address and date of birth aren't usually considered confidential, even if you might not want to publish them.

    This isn't a lot different than many of those post-card questionnaires many people fill out and mail in.

    I think in this case, it's more important what they do with the information once they receive it.

    That said, I think there should be default encryption wherever possible automatically.

    1. Re:but realistically by Anonymous Coward · · Score: 4, Funny

      I sniffed the password to a Slashdot account! Yours! And I'm using it to post a reply to your post!

    2. Re:but realistically by blueg3 · · Score: 3, Informative

      That's not at all the birthday paradox.

    3. Re:but realistically by Anonymous Coward · · Score: 5, Interesting

      I run a copy of Wireshark whenever I'm at a coffee shop, airport lounge, or anywhere else there is a wireless hotspot. You would be amazed at the volume of info that gets sent in the clear - passwords, personal info, you name it. My favorite are people who log onto their webmail using HTTP:// not HTTPS://..... Simple rule I use and push is - if you are on a public (or untrusted) network, use a VPN or SSH tunnel.

    4. Re:but realistically by jd · · Score: 5, Interesting

      Information is context-sensitive. The VERY first thing you learn when using encryption systems is that it's much easier to crack something where you know what the plaintext should look like. The second thing you learn is that the information around the encrypted data is often far more valuable intelligence-wise than the encrypted stuff. That's why those of you who have ever been instructed on the use of STU-III phones were told NOT to chat before inserting the encryption card. (You WERE paying attention to those talks, right? Right???)

      Next, there's this thing called the European Union. They're getting, oh, just a little sensitive about personal information these days. You know, what with German banks freely selling personal data (such as bank account details) to anyone who calls up, despite some of the toughest data protection laws in the world. Americans may view them as unimportant nobodies, but they are at least grasping the idea that ANY unnecessary exposure of personally-identifying information is a very high risk to the individual (identity theft) and a fairly substantial risk to the economy as a whole (such theft costs - and it costs a whole lot more than any "terrorist" threat ever did).

      Name and address "high risk information"? If it can be used in a social engineering attack on a bank, credit card company or Government department (and usually such people do not make much effort to validate who a person is), then it is high risk. It doesn't matter if such information has always been viewed as public, as long as human operators (and computer programs) are satisfied that such information proves identity, it is not safe to expose.

      Oh, and as for the fact that this information is actually used as a substitute for secure passwords, The Cheshire Catalyst was responsible for publishing a rather pointed song on the subject by breaking into the PRESTEL account of a BBC presenter whilst he was demonstrating the service live on BBC television. The lyrics should be required reading material for anyone who uses any kind of online service, and failure to heed its warnings should be considered no different from reckless driving or setting off fireworks inside a furniture store.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    5. Re:but realistically by blueg3 · · Score: 4, Insightful

      What they're trying to point out is that while it may be rare that anyone is out to steal your personal information, people stealing personal information in general is quite common.

      While this may bear a passing resemblance to the birthday paradox, it isn't the birthday paradox. It's like when people claim that X has something to do with relativity. They're almost always wrong. The birthday paradox is a very particular statistical error, and this isn't it. :-)

      It's actually easier, anyway, to point out that someone trying to specifically steal "your" credentials just isn't the way it's done. That's a rare attack, because the investment is high compared to the reward. It's far easier to, say, run a credential-harvesting script in a local Starbucks with free wireless every day for a couple of weeks. (It's also rare, though more devastating, to just grab the personal information off of their server.)

    6. Re:but realistically by holophrastic · · Score: 3, Insightful

      I certainly agree with your first sentiment -- not everything needs to be encrypted. I certainly see the value in encrypting cash and effetively-cash information -- like credit card information. But honestly when it comes to simple privacy information, https is way over-kill. I don't want to slow the web down by 300% just to encrypt everything. Not only is it not necessary -- it's not like packets are intercepted frequently -- but it's by far no where near the weakest link.

      I've been to, and photographed, bank machines that use external modems, loose and visible cables, and simple network jacks that could be easily by-passed. You're mail in most physical mailboxes is wide open for viewing. Hey, your licence plate is just sitting in your driveway.

      But by far, don't worry about the guy stealing your packets. Worry about the 16 year-old at the gas station that takes your credit card. The secretary at whatever company that answers the phone, the customer service agent. These people are all effectively able to intercept your packets, and you talk to them willingly as customer service for every company you've ever called where you weren't talknig to the owner.

      Our industry here is one where the principles of security have matured to the point where it seems like everything needs to be high-security. But in reality, every other industry on this planet is wide open by comparison.

      I'm reminded of something as simple as the sign at my local performing arts theatre that reads "no audience members beyond this point", engraved into a plackard beside the door to back-stage. However the door itself is unlocked. I go back after every performance to express my appreciation.

      Security for security sake is not only stupid, it's dangerous. It's what had me removing my shoes crossing the border last week. And in the end, after all of the security, I still wound up flying into and out of the U.S. with a knife in my pocket that everyone -- including myself -- missed entirely.

      Security is necessary only to the point where something needs securing -- that means it has value, someone wants it, and someone is trying to take it. That last part is vital to the equasion. Securing something that no one is trying to steal is a waste of effort, money, resources, time, and other liberties. You know, like three hours at an airport to take a $35, 25 minute flight.

    7. Re:but realistically by speedingant · · Score: 3, Insightful

      If information is freely flying through the air, without encryption, does that mean he is doing something wrong?

  3. Nobody considers that import by topham · · Score: 4, Interesting

    That level of privacy is not considered important by anybody. Seriously.

    Credit Card data - encrypted; you're first and last name? short of being in the witness protection program it is NOT considered a privacy issue. sorry.

    (I know, I know, it would be nice if it was).

    1. Re:Nobody considers that import by linear+a · · Score: 4, Funny

      The big sites *must* be interested in privacy. They're plastered with security and privacy notices.

    2. Re:Nobody considers that import by Anonymous Coward · · Score: 4, Funny

      No, I'm not "first and last name."

    3. Re:Nobody considers that import by DigitAl56K · · Score: 4, Insightful

      That level of privacy is not considered important by anybody.

      It is by me (obviously) ;)

      You don't think a name, address, DOB, and password all going plaintext is troublesome? How many people use the same password for half a dozen websites? How many password recovery systems use address or DOB?

      With specific regard to "trust", here you have a website asking for a bunch of personal information without taking the most basic precautions to protect it in transit and without an SSL certificate that identifies the owners to inform you where the data might really be going to.

      It was enough to make me cancel out.

    4. Re:Nobody considers that import by tokenturtle · · Score: 5, Insightful

      Exactly. The junk mail that's in my mailbox every day has more detailed information on the outside of the envelope. This is really a non-issue.

    5. Re:Nobody considers that import by Anonymous Coward · · Score: 3, Funny

      you're first and last name?

      Oh c'mon - it's YOUR not you're

    6. Re:Nobody considers that import by DigitAl56K · · Score: 4, Insightful

      If your junk mail shows your date of birth and password I'd be worried. It's also a little harder for an observer to collect millions of records from junk mail than it is to sniff at a router and log all the traffic automatically.

      BTW what has happened to /. tonight? If Google switched their login page to http would nobody care?

    7. Re:Nobody considers that import by Zero__Kelvin · · Score: 4, Insightful

      You missed the real story, to wit:

      "Internet users still can't seem to get the basics of privacy and security on the Web pulled together. Web users still offer up information they consider to be private and sensitive, on the almost zero chance they will win a Wii, to companies about which they know little or nothing. They still believe the company can and should be trusted with their data, based solely on the fact that the companies products have a little brand recognition ..."

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    8. Re:Nobody considers that import by Kent+Recal · · Score: 4, Insightful

      Exactly. This "article" is yet another bad joke (slashdot disappoints a lot lately).

      Dear "DigitAl56K": If you're so worried about losing your first and lastname on the interwebs then why the hell do you participate in retarded lotteries?
      Here's a little secret: If you don't push that submit button then nobody will ever get your information!

    9. Re:Nobody considers that import by cycleguy55 · · Score: 3, Insightful

      Yeah, the only people that want that level of data are those involved in identity theft. Given the number of people who have had their lives turned upside down through identity theft, we should all be vigilant - including challenging any and all Web sites that don't use proper practices to protect personal information.

    10. Re:Nobody considers that import by CRC'99 · · Score: 3, Informative

      It's also a little harder for an observer to collect millions of records from junk mail than it is to sniff at a router and log all the traffic automatically.

      Riiight - because people can easily sniff traffic at an ADSL DSLAM, wait no, at the L2TP router, wait not even there, oh - at the upstream to a Tier 1 ISP, no, not their either... So where exactly is someone going to sniff your data?

      Oh, you're talking about someone on your LAN or Wifi access point? Well then, you have bigger issues!

      Even if you're stuck on a cable node, most of the equipment I've seen filter other peoples data out via MAC of the cable modem - so you can't even sniff there...

      This being said, where would the so-called 'privacy breech' sniffing take place?

      --
      Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
    11. Re:Nobody considers that import by telbij · · Score: 3, Informative

      I don't challenge your thesis, but your example stinks. First of all, the biggest problem as far as privacy is concerned is the database being sold to other companies. The next biggest problem is the database being outright stolen by crackers. Sniffing your POST as it goes across the wire is the least of your worries.

      Second, it's just not reasonable to call https standard privacy practice in this case. Standard security practice is to use SSL for "sensitive" information. But it's not standard to consider name, birthdate and address sensitive. You can argue that it should be, but don't try to redefine reality by calling something standard that's not.

  4. White House site by Anonymous Coward · · Score: 4, Funny

    Whitehouse.com seems to have no regard for the security of web visitors.

    1. Re:White House site by bonekeeper · · Score: 4, Funny

      Nor for the privacy and freedom of speech, actually !

  5. Right... by Anonymous Coward · · Score: 4, Insightful

    "XXXXX is committed to maintaining your trust by protecting personal information we collect."

    Means nothing when every website harvesting your info says that.

    1. Re:Right... by Ethanol-fueled · · Score: 4, Insightful

      Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form

      People actually do that? Legend has it that some folks still fill out meatspace paper rebate forms so that they could wait 60 days to receive a 65-cent check in the mail.

  6. Taxcut http by Anonymous Coward · · Score: 5, Interesting

    A few years ago I was buying a state tax program and realized that their form that asked for all my private data was an http page! I was shocked. Then I added "s" after http and it happily connected me over SSL. How many people who buy Taxcut will check the protocol and change it?

    1. Re:Taxcut http by rriven · · Score: 3, Insightful

      It does not matter when you fill the form. As long as when you clicked submit and it went to a https page you are safe.

      That is how all the sites that don't handle CC or SSN's do it. It reduces overhead and load time. Even gmail did until recently.

      --
      Dan
    2. Re:Taxcut http by SpottedKuh · · Score: 4, Interesting

      It does not matter when you fill the form. As long as when you clicked submit and it went to a https page you are safe.

      Now if only you had some assurance that the http-based form hadn't been MitM'ed, such that the "Submit" button no longer submits where you want it to. E.g., if the form were sent over https.

    3. Re:Taxcut http by FLEB · · Score: 3, Insightful

      Actually, I've heard this discussion come up before-- generally, you want the login form SSL encrypted, as well, to verify the identity and integrity of the form. Otherwise, it leaves the possibility for phishing, poisoned DNS, or a man-in-the-middle attack that rewrites the form to submit to a malicious intermediary. (Granted, a person viewing the code could see that last one, but I know I certainly don't eagle-eye the action param on every form I submit before I hit "go".)

      --
      Information wants to be free.
      Entertainment wants to be paid.
      You just want to be cheap.
  7. Don't blame P&G or Duracell by bugs2squash · · Score: 3, Informative

    It probably wasn't really their website you were entering your details into anyway...

    --
    Nullius in verba
  8. Email address already in use by teh+moges · · Score: 3, Funny

    I put in some fake credentials to test it out, but unfortunately the email address asdf@asfd.com was already in use...

  9. "maintaining your trust" by iminplaya · · Score: 3, Insightful

    How can they maintain something they'll never have?

    --
    What?
  10. Name, Address and Dob are a joke by jbsooter · · Score: 5, Interesting

    "It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST"

    If I wanted a list of names, birth dates and addresses to use for nefarious purposes I don't need to steal yours from some dinky website or sniff packets. I'd just take one of the plentiful lists of birth records on the internet like this one then cross reference it with property tax records of the area which are more plentiful than the birth records and it'll give probable name, dob, and address combinations. A good portion of probable matches can be confirmed through freely available court records. All of that data is fairly trivial to collect in bulk (i used to collect databases, was a pretty fun hobby actually), is perfectly legal and will provide a much better profile of matches than just name/dob/addr combinations stolen from a website or data stream.

    Being that anal about your name, birth date and address is actually quite silly. Theres so much low hanging fruit as far as collecting that type of data is concerned (and you're probably already included in it) that all you really did by not continuing with that form was taking yourself out of the running for a Wii.

    The best thing you can really do is just keep close tabs on your credit report and get signed up for all the fraud alerts or freezes they offer. Thats the best place to prevent and quickly repair most identity theft. Stop being so anal about info thats almost guaranteed to be out there already, set up your defenses where they're most effective and go get your Wii.

  11. Stopped using SSL by Ash-Fox · · Score: 4, Informative

    I stopped providing security on my websites when browsers made it too difficult for the average user (that I deal with) to continue using the site with a self signed certificate.

    Sure, it won't help against a man in the middle attack. But that is truly the only attack that using self signed certificates is vulnerable to. Unlike completely unencrypted content.

    If godaddy, verisign etc. didn't charge insane prices like £107 per year for a wildcard certificate for one domain, I would do actually buy the certificates needed. I already find 10USD too much for a wildcard certificate for the numerous domains I operate, so it would have to be quite a significant drop. It's not like they do any verification with the £107 certificates, they just want a credit card number.

    --
    Change is certain; progress is not obligatory.
  12. Sallie Mae e-mailed me my SSN number regularly by knifeyspooney · · Score: 4, Interesting

    They stopped this practice recently, but for over a year, my student loan company required me to sign up for monthly paperless statements if I wanted to pay electronically. The statements were e-mailed in the form of a PDF attachment. The e-mail body assured me my privacy was intact because the file was password protected -- by my Social Security number!

    Brilliant! If an interloper intercepted my e-mail, not only could he brute force my password with easy to find, easy to use tools (in a matter of minutes, since he knows the number of characters in it), but he'd know my SSN once he cracked it. I would have been better off with no password protection.

    When I e-mailed Sallie Mae with the above information, the representative brushed it off. It was safe, he said, as long as I opened it on a non-public computer, because my SSN was not being sent over the Internet when I typed it in.

    (The Consumerist didn't find it interesting, either.)

  13. slashdot by blitzkrieg3 · · Score: 5, Interesting

    What about slashdot? Strangely there is no https://slashdot.org/login.pl, even though here is a https://slashdot.org/my/logout. You can logout with SSL, you just can't log in with it.