Slashdot Mirror
Ask Slashdot: Dealing With Companies With Poor SSL Practices?
An anonymous reader writes Despite recent highly-publicized hacking incidents making the news, companies continue to practice poor cyber-security. I signed-up to buy something from [an online vendor] and upon completing signup through HTTPS, was sent my username and password in plain-text through e-mail. This company has done everything in its power to avoid being contacted for its poor technical practices, including using GoDaddy's Domains By Proxy to avoid having even WHOIS information for their webmaster's technical contact from being found. Given such egregious behavior, what do you do when you're left vulnerable by companies flagrantly violating good security practice?
Your purpose in life is to service the corporation. Buy our shit. Keep your mouth shut.
Your comments are insubordinate, vassal.
Use an online review tool. Like say google. Then put your grievance there. They do not want to know, well just put your sticker up then move on and do not deal with them anymore. It is not your problem to fix.
Yes there are *many* things on the internet that are broken. Yes you will find people who go 'oppps my bad' and fix it. You will also find many who *do not care*. They never will. You cant fix stupid.
EOM
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
There really isn't much you can do about companies like this, except shop elsewhere. Sooner or later, they will have a breach, and the "security researchers" will have your credit card data.
If you want news from today, you have to come back tomorrow.
...and then vote with your feet; shop elsewhere!
Every one gas a role to play in security. I you do business with these people after having these issues you are culpable as well. Move on and do business with someone else, It's that simple really.
Please don't hide whom it is that I might accidentally do business with. Nothing is going to change just sending them an email, they may even go after you for doing so. However you may stop others from being suckered when their poor security becomes everyone else's problem. It's not their problem, it's going to be everyone else's.
First assumption is that there isn't somewhere that'll get broken. Everywhere probably will get successfully attacked at some point. Use a password manager. At least this way, when somewhere is broken, I'm sure that it's the only place where that password is used.
I think I just cashed out all my cool points.
Don't support that company by buying products from them. Sure, sometimes it's easier said then done, especially with specialty items, and it's not guaranteed to even go noticed by the company. At the end of the day though you're not supporting them and they're not risking your information because they don't have it.
Then contact them using their DomainsByProxy contact info. Yes, companies, lots of companies, use that, in order to have a level of privacy. That's OK - it still gets to them, you just don't have the contact details yourself. Contact them via email and they can see it just as much as if you had their direct email address. Either they care or they don't.
. Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
has nothing to do with "poor SSL practices".
This isn't rocket surgery.
You are using unique passwords for all of your sites right, because that is good security practice. Also, if you think someone is reading your email you might want to stop using email because your provider must be insecure. Just about every site on the internet will let you reset your password (by giving you a key/link/password which are all the same thing) via email, the security of your email is the weak link in the chain.
Since when is using private registration something to bring out the pitchforks for? You are the same guy that would be arguing for that privacy if you worked for the company, which you don't. Go outside.
Your issue is apparently with them sending your password by email. This has nothing to do with SSL. Having a password stored in an inbox is bad for security reasons that have for the most part little to do with secure transport.
Can you reset it? If so, is it done on an HTTPS form? That's not ideal, but it's not immensely worse than those millions of websites that will send a "reset password link" by email.
I'm not saying their approach is fantastic, but I don't see reasons to get your panties in a bunch. If you are concerned with their email approach (which is not the same as "poor SSL practices") reply to that email (redacting your password), and if you're not happy with their answer or lack thereof, don't buy from them anymore. You don't need to Ask Slashdot for that.
lucm, indeed.
Pretty simple: don't shop there.
You ignored multiple red flags, yet you are surprised when they email you your password? (Which, of course, as others have pointed-out, has nothing to do with SSL.)
Any one of these looses any company my business:
- Expired, non-matching, self-signed, localhost, example.com, etc. etc. SSL certificate
- Domain proxy registration (companies should not have "privacy")
- Hide contact information
- mailed me my password
- doesn't offer payment choices, only one payment type
If their security is so bad, you should be able to hack into their network.
Once you've done so, post the story of the hacking on the internet.
Nothing like public embarassment to make them clean up their security practices.
Deal with reality - the world as it is - rather than ideality - the world as you would like it to be.
These sites grade banks for online security
http://blog.codacy.com/2014/04...
https://deekayen.net/bank-ssl-...
Hire an anonymous /. article submitter to address PCI-DSS issues
1. Name and shame them. Don't pussyfoot around. Worst-case scenario, you'll get their contact info when they act all butt-hurt and make empty threats to sue (for what, exactly? Negative online reviews are protected speech). Not just on "review sites", which often are "we will remove the negative review if you buy our services" scams (cf: Yelp), but sites that YOU use. People only go to these sites after the fact. They're worthless.
2. Change your password and see if they send you back the updated info in plaintext. If they do, it's not just ONE bug.
3. Shop elsewhere. Use sites recommended by people you know who have actually used them and had good experiences, not some $RANDOM_SITE_WITH_LOWEST_PRICE that may be some kid in a basement and his mom who don't have a clue. If they're the lowest price, it may be because they're skimping on things like security and not because they have bulk buying power.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Name the fuckers already. It's not like they're your employer and can fire you for it.
And unless you name them, you're an employee to which I respond: You poor bastard. Or you're a worthless asshole just trolling /.
This one's easy: don't.
If they're not taking security seriously, that's a bad sign and you should reconsider giving them your personal information. If they're actively trying to hide their own contact information, that's a huge red flag and you'd be crazy to do business with them.
There's no need to overthink this. This is the internet equivalent of the shady guy selling Armani suits out of a stolen car (actually happened near me, recently). Just avoid shady businesses.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
Honestly it sounds like you just registered for a porn website
Don't redact their name. Name and shame. Then don't deal with them any more.
Is this even a legit company? I just find a lot of sites which use Domains by Proxy tend to be scammy sites. The other thing is to look about their About Us page and contacts page. If they don't give an actual address or phone number, but the only way to contact them is from a web form, odds are its a scammy site.
Works for the most of the posters here.
The sad part is they call a lot of the defacing "hacks" when the company has a digital equivalent of leaving customer data on their front porch with a neon sign saying "Free Credit Card w/SSN Here!"
The "security" we're calling for would be more accurately described as, "stop putting accountants in charge of IT security."
Change the mindset from Risk Management and cost control.
I wonder what the OP was buying that can't be found on amazon.com though?
Geez, is this that hard to figure out.
Name and shame. Then they'll fix it.
What are the actual risks? Just how likely is it that someone will breech your email and what would the consequences be? What would you suggest as an alternative means of delivering both password and password changes?
Consider that if the lost password procedure involves email, then there is no security benefit to keeping passwords out of email (the key to getting a valid password is just as harmful as the actual password if it leaks).
If they are not secure to your liking, why are you doing business with them? Why are you wanting to contact them? Buy it somewhere else. Why are you even asking this question?
Who accepted this article into the main page? Receiving a plain text password via email has exactly zero to do with SSL.
Second, it's still possible to get in touch with someone if they use a private domains by proxy service. Some people wanting to hide their personal home address is reasonable IMHO.
Third, whatever happened to: If you don't like the way a company does business, don't do business with them?
Eventually started sending them a link to this write-up about Companies Mailing Passwords".
You described something having to do with poor password practices. SSL has 0 to do with the subject at hand.
Spider Robinson said "Pain shared is diminished; joy shared, increased."
So, share your pain and we will help to diminish it. In several ways. We'll commisserate; we'll not shop there; and we might go further.
Those admins are.
FWIW, I've read (too lazy to look up citation) that closing one CC account and opening another can hurt your credit score. Ask your issuer to assign your account a new number.
I refuse to believe corporations are people until Texas executes one. -- desert rain on http://www.dailykos.com/user/
http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html#spRedirectedFrom=www&referrrer=https://news.ycombinator.com/
slightly off-topic ...
Or you can use virtual credit card numbers when shopping at places you don't already know.
For example, my wife wanted something for her birthday that was only able to find at a web site named something like hippycrap.com.
Um, no, I'm not giving them my real credit card number. I also use those for anything that might hint at auto-renewal.
Also, places that want to me register that I don't use often, or really care about, I generate a long random password and write it in a notebook I keep in my desk at home. It's true, there is a risk. Someone may steal my notebook and mis-represent me on http://www.mkivsupra.net/.
If it involves the bank and our money, I don't write that down, though. I take advantage of having a wife with a near photographic memory for anything I say out loud
I use two type of password... one set of "good" passwords that are easily memorable, and a set of throwaway passwords.
Never use a "good" password on signup that is like your normal passwords. Use a throw away one. After signup, logout, then use the 'Lost Password' feature of the site. If either the signup or lost password send your password back to you in an email, then its highly likely the password database is not encrypted/hashed... don't give it one of your "good" passwords but keep using throw away passwords with it.
There really isn't much else you can do, publicise the bad companies so that those who do care can avoid them. Only if they start losing business will any company even consider doing anything about it.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
It drives me bananas when people write posts like this and I see it online alll the time. Unless you care more about some corporation than your fellow consumer, NAME NAMES! There is essentially ZERO reason for a company to change practices other than bad PR, and you can't create that without naming them.
When I have a problem dealing with a U.S. company over the Internet, I go to http://finance.yahoo.com/looku.... This site will tell me the names of the top executives and the corporate postal address of a company whose stock is publicly traded, even on the most obscure exchanges. If the company's stock is not publicly traded, I then resort to Google. Sooner or later -- yes, with some effort -- I find out who is in charge and where to mail a letter.
I compose a non-threatening, literate letter to the CEO or president of the company. I explain in layman's terms what is wrong and why I won't do business with them until the problem is fixed. While the executive likely does not even see my letter, someone in his or her office will see it -- someone who has authority to correct the situation. Occasionally, the situation is indeed fixed.
After sending the letter via the U.S. Postal Service, I wait about a week. Then, I create a Web page re-creating my letter. Yes, I name names. The situation might not be fixed, but the problem and the company are now public. I carry a significant level of liability insurance.
I was a high-level consultant recently for a mid-sized startup with many thousands of users (including some celebrity types) and a platform that spanned web, mobile web, web service APIs, CDNs, and mobile apps.
I interfaced directly with the CEO, who was quite tech savvy. But every time we would get JSON, AJAX, or cross domain type problems, as I would be directing troubleshooting to fix things, he would go into the code and turn off SSL to fix them, and then say to me to get back to other work. I kept explaining to him that this was not the solution, that we needed to solve the actual issue(s) so we could run in SSL mode. He would say, "We can't risk having problems because of SSL. The site has to work."
I tried patiently explaining how the greatest risks were if we collected users' passwords without SSL and someone snooped and hacked or exposed our users, some of whom were quite prominent figures.
***He was convinced that you just couldn't run a platform such as ours with SSL and have it work.***
Finally, I drafted a short letter outlining the risks and potential financial and civil liabilities to the company of negligently not running SSL, and I asked him to sign and acknowledge that I had advised him of these things but that he was forbidding me to enable SSL. I politely explained that I was concerned about my professional reputation and liability as the company's technology advisor.
This made him cave, I devoted a short bit of time to fixing the underlying issues, and SSL worked perfectly from then on. He never had the guts to acknowledge that he had been wrong that SSL couldn't work.
Where the fuck do people keep getting this idea from?
If a company emails you your password just after you've set (or reset) it, it doesn't automatically mean they're storing in plaintext. All it means is they're emailing you a plaintext copy of your password, which was probably read from memory given that you just entered the thing.
If they're stupid enough to do that, then yes, there's a possibility they're also storing in plaintext or using unsalted hashes.
I'd be pretty pissed if I found out a company was using encryption for my authentication tokens though - it needs to be a one-way hash or it might as well be plaintext given that the decryption key is on your server somewhere.
That also reduces the ability of the company to coordinate your purchasing information (though your name and address are probably relatively unique, unless you also use single-use versions of those, like random apartment numbers for your house.)
Somebody else also recommended using PayPal for sites that you don't want to trust on a regular basis. Any place that you don't trust, or that you think might be lax about security, or that you're not planning to use repeatedly can get by with that.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Ideally, publish user data for their board of directors. But the *only* thing that helps most of these issues is publishing it to both the victims and the press.
Exposing IT malfeasance can be _very_ dangerous, especially if you have a professional relationship with the company whose behavior you wish to expose. It leave you vulnerable not only to termination, but to vindictive lawsuits, "SLAPP" or "Strategic Lawsuits Against Public Participation", blacklisting, and even criminal activity. There have been some very famous cases of this, especially by governments for politically sensitive issues. The currently infamous case is Edward Snowden, but I've certainly seen it in the professional IT world. I've even had a manager try to call me and poison recommendations made by other staff in his office for a former employee. It was a fascinating case, since we did other business with that company.
Never ever share personal and financial information on such websites! It's for your own good!
http://popularbloggingtopics.c...
Set up a website called
Boycott or see http://www.boycottsony.us/
Google on 'Vodafail' to see how one persons creativity worked a treat.
Clearly state your grievances and collect evidence of others. State the particulars clearly.
Clearly some firms spend more on PR and marketing, than product or security. The truth surfacing is pretty bad, but a timeless reminder, priceless.
and let them know the reason. Nothing gets companies moving faster than lost money.
Since 2002, the STARTTLS extension to SMTP, RFC 3207, has been a standard. In this particular case, the vendor's domain appears to be hosted on Google Sites, so if the OP has a gmail account the message won't even leave Google's network until he picks up the message via HTTPS or SSL-secured IMAP.
Why are you trusting this company with your password? If you're worrying about them seeing your password I'm guessing you are using one password for everything which is a worse security issue than their not storing it encrypted. Make a password you don't care about because who knows if a site is storing your stuff encrypted or not.
welcome our "open-access" loving vendors. If I have sensitive information I want to remain secure, I make sure it's stored on Sony's servers
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
Not even sure why I'm wasting time posting this.
Next time before you post stupidity, actually do a risk assessment. Too much 'security research' is concentrated on a single action, and people are having a REALLY hard time seeing the big picture (or the 'forest through the trees').
The reason they're not responding to you is because you're not worth their time. They have products to ship, and actual customer service to provide. They will have zero problem dropping a pain in the ass customer with minor complaints that they want to publicize for their own personal gain.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
nypost.com is concealing their webmaster and will not forward emails to their webmaster. I have tried every contact on who is lookup with no result. Funny, Dailynews.com publishes their webmaster and I even got a nice response. Can anybody help?
One of my biggest security peeves is the question at ATMs that wants to email me a receipt of my transaction! I would love it if my bank communicated with me that way, but not without me giving them a public encryption key first. Getting my balance and info sent to me by email sounds like the stupidest thing in the world... I'm really surprised no banking security experts have mentioned anything (I'm looking at you BofA)