Slashdot Mirror

← Back to Stories (view on slashdot.org)

Websites Still Failing Basic Privacy Practices

Posted by kdawson on from the after-all-these-years dept.

DigitAl56K writes "Large companies still can't seem to get the basics of privacy and security on the Web pulled together. Today I went to enter a competition from Duracell to win a Nintendo Wii by filling out an online form. It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST. The ultimate irony is the message at the bottom of the page that reads: 'Trust is a cornerstone of our corporate mission, and the success of our business depends on it. P&G is committed to maintaining your trust by protecting personal information we collect.' Which websites have you found to be lacking in their basic privacy practices?"

9 of 205 comments (clear)

  1. It's a good thing by XanC · · Score: 5, Insightful

    That Firefox saves the nasty warnings for Web sites that are encrypted!

    1. Re:It's a good thing by stfvon007 · · Score: 5, Informative

      Well i went to the site and changed http to https, and it brought up the page on an encrypted connection. looks like they aren't forcing you to submit it in the open after all.

      --
      All misspellings and grammatical errors in the above post are intentional and part of my artistic expression.
  2. but realistically by Anonymous Coward · · Score: 5, Insightful

    HTTP is sent unencrypted, but it's not that easy for a random person who wants to steal your address to be on the correct subnet at exactly the right time to sniff it. Also, address and date of birth aren't usually considered confidential, even if you might not want to publish them.

    This isn't a lot different than many of those post-card questionnaires many people fill out and mail in.

    I think in this case, it's more important what they do with the information once they receive it.

    That said, I think there should be default encryption wherever possible automatically.

    1. Re:but realistically by Anonymous Coward · · Score: 5, Interesting

      I run a copy of Wireshark whenever I'm at a coffee shop, airport lounge, or anywhere else there is a wireless hotspot. You would be amazed at the volume of info that gets sent in the clear - passwords, personal info, you name it. My favorite are people who log onto their webmail using HTTP:// not HTTPS://..... Simple rule I use and push is - if you are on a public (or untrusted) network, use a VPN or SSH tunnel.

    2. Re:but realistically by jd · · Score: 5, Interesting

      Information is context-sensitive. The VERY first thing you learn when using encryption systems is that it's much easier to crack something where you know what the plaintext should look like. The second thing you learn is that the information around the encrypted data is often far more valuable intelligence-wise than the encrypted stuff. That's why those of you who have ever been instructed on the use of STU-III phones were told NOT to chat before inserting the encryption card. (You WERE paying attention to those talks, right? Right???)

      Next, there's this thing called the European Union. They're getting, oh, just a little sensitive about personal information these days. You know, what with German banks freely selling personal data (such as bank account details) to anyone who calls up, despite some of the toughest data protection laws in the world. Americans may view them as unimportant nobodies, but they are at least grasping the idea that ANY unnecessary exposure of personally-identifying information is a very high risk to the individual (identity theft) and a fairly substantial risk to the economy as a whole (such theft costs - and it costs a whole lot more than any "terrorist" threat ever did).

      Name and address "high risk information"? If it can be used in a social engineering attack on a bank, credit card company or Government department (and usually such people do not make much effort to validate who a person is), then it is high risk. It doesn't matter if such information has always been viewed as public, as long as human operators (and computer programs) are satisfied that such information proves identity, it is not safe to expose.

      Oh, and as for the fact that this information is actually used as a substitute for secure passwords, The Cheshire Catalyst was responsible for publishing a rather pointed song on the subject by breaking into the PRESTEL account of a BBC presenter whilst he was demonstrating the service live on BBC television. The lyrics should be required reading material for anyone who uses any kind of online service, and failure to heed its warnings should be considered no different from reckless driving or setting off fireworks inside a furniture store.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  3. Taxcut http by Anonymous Coward · · Score: 5, Interesting

    A few years ago I was buying a state tax program and realized that their form that asked for all my private data was an http page! I was shocked. Then I added "s" after http and it happily connected me over SSL. How many people who buy Taxcut will check the protocol and change it?

  4. Re:Nobody considers that import by tokenturtle · · Score: 5, Insightful

    Exactly. The junk mail that's in my mailbox every day has more detailed information on the outside of the envelope. This is really a non-issue.

  5. Name, Address and Dob are a joke by jbsooter · · Score: 5, Interesting

    "It requires entering your full name, address, and date of birth, and then proceeds to submit it via an unencrypted HTTP POST"

    If I wanted a list of names, birth dates and addresses to use for nefarious purposes I don't need to steal yours from some dinky website or sniff packets. I'd just take one of the plentiful lists of birth records on the internet like this one then cross reference it with property tax records of the area which are more plentiful than the birth records and it'll give probable name, dob, and address combinations. A good portion of probable matches can be confirmed through freely available court records. All of that data is fairly trivial to collect in bulk (i used to collect databases, was a pretty fun hobby actually), is perfectly legal and will provide a much better profile of matches than just name/dob/addr combinations stolen from a website or data stream.

    Being that anal about your name, birth date and address is actually quite silly. Theres so much low hanging fruit as far as collecting that type of data is concerned (and you're probably already included in it) that all you really did by not continuing with that form was taking yourself out of the running for a Wii.

    The best thing you can really do is just keep close tabs on your credit report and get signed up for all the fraud alerts or freezes they offer. Thats the best place to prevent and quickly repair most identity theft. Stop being so anal about info thats almost guaranteed to be out there already, set up your defenses where they're most effective and go get your Wii.

  6. slashdot by blitzkrieg3 · · Score: 5, Interesting

    What about slashdot? Strangely there is no https://slashdot.org/login.pl, even though here is a https://slashdot.org/my/logout. You can logout with SSL, you just can't log in with it.