Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Dealing With Companies With Poor SSL Practices?

Posted by timothy on from the stochastic-protection dept.

An anonymous reader writes Despite recent highly-publicized hacking incidents making the news, companies continue to practice poor cyber-security. I signed-up to buy something from [an online vendor] and upon completing signup through HTTPS, was sent my username and password in plain-text through e-mail. This company has done everything in its power to avoid being contacted for its poor technical practices, including using GoDaddy's Domains By Proxy to avoid having even WHOIS information for their webmaster's technical contact from being found. Given such egregious behavior, what do you do when you're left vulnerable by companies flagrantly violating good security practice?

8 of 141 comments (clear)

  1. not your problem... by Anonymous Coward · · Score: 3, Insightful

    Use an online review tool. Like say google. Then put your grievance there. They do not want to know, well just put your sticker up then move on and do not deal with them anymore. It is not your problem to fix.

    Yes there are *many* things on the internet that are broken. Yes you will find people who go 'oppps my bad' and fix it. You will also find many who *do not care*. They never will. You cant fix stupid.

  2. Don't Do Business With Them by TechyImmigrant · · Score: 5, Insightful

    EOM

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  3. Shop elsewhere... by Frosty+Piss · · Score: 5, Insightful

    There really isn't much you can do about companies like this, except shop elsewhere. Sooner or later, they will have a breach, and the "security researchers" will have your credit card data.

    --
    If you want news from today, you have to come back tomorrow.
  4. Please shame whomever it is by stonefoz · · Score: 3, Insightful

    Please don't hide whom it is that I might accidentally do business with. Nothing is going to change just sending them an email, they may even go after you for doing so. However you may stop others from being suckered when their poor security becomes everyone else's problem. It's not their problem, it's going to be everyone else's.

    First assumption is that there isn't somewhere that'll get broken. Everywhere probably will get successfully attacked at some point. Use a password manager. At least this way, when somewhere is broken, I'm sure that it's the only place where that password is used.

    --
    I think I just cashed out all my cool points.
  5. This is not a SSL matter by lucm · · Score: 4, Insightful

    Your issue is apparently with them sending your password by email. This has nothing to do with SSL. Having a password stored in an inbox is bad for security reasons that have for the most part little to do with secure transport.

    Can you reset it? If so, is it done on an HTTPS form? That's not ideal, but it's not immensely worse than those millions of websites that will send a "reset password link" by email.

    I'm not saying their approach is fantastic, but I don't see reasons to get your panties in a bunch. If you are concerned with their email approach (which is not the same as "poor SSL practices") reply to that email (redacting your password), and if you're not happy with their answer or lack thereof, don't buy from them anymore. You don't need to Ask Slashdot for that.

    --
    lucm, indeed.
  6. Don't shop there by jtara · · Score: 3, Insightful

    Pretty simple: don't shop there.

    You ignored multiple red flags, yet you are surprised when they email you your password? (Which, of course, as others have pointed-out, has nothing to do with SSL.)

    Any one of these looses any company my business:

    - Expired, non-matching, self-signed, localhost, example.com, etc. etc. SSL certificate
    - Domain proxy registration (companies should not have "privacy")
    - Hide contact information
    - mailed me my password
    - doesn't offer payment choices, only one payment type

  7. Re:Plain text e-mail... by cheesybagel · · Score: 3, Insightful

    IM networks are not safe either. Most of them use communications that are funneled in some way through some server or store client side message logs by default. A lot of them are not even encrypted at all.

  8. 3 Quick Fixes by BarbaraHudson · · Score: 4, Insightful

    1. Name and shame them. Don't pussyfoot around. Worst-case scenario, you'll get their contact info when they act all butt-hurt and make empty threats to sue (for what, exactly? Negative online reviews are protected speech). Not just on "review sites", which often are "we will remove the negative review if you buy our services" scams (cf: Yelp), but sites that YOU use. People only go to these sites after the fact. They're worthless.

    2. Change your password and see if they send you back the updated info in plaintext. If they do, it's not just ONE bug.

    3. Shop elsewhere. Use sites recommended by people you know who have actually used them and had good experiences, not some $RANDOM_SITE_WITH_LOWEST_PRICE that may be some kid in a basement and his mom who don't have a clue. If they're the lowest price, it may be because they're skimping on things like security and not because they have bulk buying power.

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.