Ask Slashdot: Dealing With Companies With Poor SSL Practices?

what? by Anonymous Coward · 2014-12-28 06:29 · Score: 1

Your purpose in life is to service the corporation. Buy our shit. Keep your mouth shut.

Your comments are insubordinate, vassal.

Re: what? by jd2112 · 2014-12-28 07:10 · Score: 1

Is that you Sony?

--
Any insufficiently advanced magic is indistinguishable from technology.

not your problem... by Anonymous Coward · 2014-12-28 06:31 · Score: 3, Insightful

Use an online review tool. Like say google. Then put your grievance there. They do not want to know, well just put your sticker up then move on and do not deal with them anymore. It is not your problem to fix.

Yes there are *many* things on the internet that are broken. Yes you will find people who go 'oppps my bad' and fix it. You will also find many who *do not care*. They never will. You cant fix stupid.

Re:not your problem... by ShanghaiBill · 2014-12-28 10:33 · Score: 1

Use an online review tool. Like say google. Then put your grievance there.
Also, name names. Why is the offender listed in the summary as "an online vendor" rather than just naming them. Why do they deserve anonymity?
Re:not your problem... by twitnutttt · 2014-12-28 14:49 · Score: 2

I am reminded of many years ago, Sprint (my cell carrier) emailed me my new password when I changed it online.
I called them to ask them to review this practice and not email me my new password. The helpful rep explained to me, "Don't worry. We only send it to your email, and your email is secure."
I responded, "Um, no. It's my email, and I'm telling you it's not secure. There is no reason for you to email me my password."
They just kept repeating, "Don't worry. Your email is secure."
I called again and got similar results. I was horrified that this company which maintains my social security number had such idiotic security awareness.
I suppose by now someone has probably fixed this practice; it was many years ago.
Re: not your problem... by AvitarX · 2014-12-29 05:21 · Score: 1

I'm more disturbed that they know my password than that they send it over email.
Doesn't the fact that they can even send my password mean it's saved in plain text within their database? This is how the massive breaches happen.

--
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Re: not your problem... by twitnutttt · 2014-12-29 07:17 · Score: 1

True! Might be stored encrypted (not plaintext), but in any case, it should be stored in a salted and irreversibly hashed form.
Re: not your problem... by david_thornley · 2014-12-29 10:43 · Score: 1

What really gets me is when a site can send me my current password. Sending a new password over email is a much more limited security issue, one I can accept for certain classes of websites.

--
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Re: not your problem... by AvitarX · 2014-12-30 10:10 · Score: 1

Especially when they immediately make you change it.

--
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Re: not your problem... by Trane+Francks · 2014-12-30 16:43 · Score: 1

Especially when they immediately make you change it.
That should be after clicking on/entering a link in the browser that takes you to a password reset prompt. There is no excuse to send a password over e-mail, encrypted or otherwise.

--
...a FreeDOS contributor: http://www.freedos.org/

Don't Do Business With Them by TechyImmigrant · 2014-12-28 06:32 · Score: 5, Insightful

EOM

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.

Re:Don't Do Business With Them by kjhambrick · 2014-12-28 07:27 · Score: 1

Yes. That.
And, why the PHq is this even on the front page ?
-- kjh
Re:Don't Do Business With Them by Charliemopps · 2014-12-28 09:06 · Score: 1

EOM
...ironically you post this on Slashdot...
Re:Don't Do Business With Them by Bite+The+Pillow · 2014-12-28 14:10 · Score: 1

And solve nothing. Given the amount of identity theft in the news, combined with companies offering credit monitoring automatically, the potential for harm is basically self-evident today.
If the account allows access to personal information, including financial information, then you have a clear lawsuit and, with the right lawyer, are likely to win.
If the site account allows control of the financial account, such as a saved credit card being able to order products, then you can demonstrate the potential for abuse. If the site allows you to change your password, then your awareness of that ability at the time you received the e-mail may impact your case. If you can't control the destination of the product, you lose points and have no case.
If you can't order anything, but you can upgrade or downgrade services, this can probably be resolved via contact with the company, and you can show no actual nor potential damage.
First, if you can't show harm, then no one gives a shit about your password.
Second, if you can show harm, then figure out who represents the company and write them. In any contact with the company, ask for the legal representation address. If that doesn't help, file a "John Doe" lawsuit with the information you do have.
In case it's not obvious, you can either do nothing, by choosing to do no business, or fix the problem by filing a lawsuit. That's it. Name and shame affects a very small number of potential customers, even on this kind of issue.
"Don't Do Business With Them" is terrible advice, because it helps exactly 1 person. Perhaps 2 if that person is legally or financially intertwined with someone. But it's not the only option. It depends on the circumstances, and only one type of person can advise you further. International lawyer? No, just stop.
In-country lawyer? That's the answer to how. It's expensive, and you have to take it in the pocket for everyone else. But everyone else doesn't have standing.
Fight it or shut up and quit whining to the internet. That is what Consumerist is for.
Re:Don't Do Business With Them by TechyImmigrant · 2014-12-28 17:34 · Score: 1

>"Don't Do Business With Them" is terrible advice, because it helps exactly 1 person.
If it's me choosing not to do the business, then I'm that one person, which is perfect.

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.

Shop elsewhere... by Frosty+Piss · 2014-12-28 06:34 · Score: 5, Insightful

There really isn't much you can do about companies like this, except shop elsewhere. Sooner or later, they will have a breach, and the "security researchers" will have your credit card data.

--
If you want news from today, you have to come back tomorrow.

Re:Shop elsewhere... by Anonymous Coward · 2014-12-28 06:41 · Score: 3, Informative

This, and ALWAYS generate a random password for each account so that the risk of exposure is limited to the one service.
Re:Shop elsewhere... by TheRaven64 · 2014-12-28 06:45 · Score: 2

Depending on your locale, the purchase might be covered by distance selling regulations. In the UK, you have a few days in which you can cancel the order for any reason. Cancel the order citing their poor security practices as the reason, keep a copy of any correspondence, and forward it to your credit card company if they try to charge you anything.

--
I am TheRaven on Soylent News
Re:Shop elsewhere... by Aighearach · 2014-12-28 07:11 · Score: 1

Actually, that is a lot that you can do.
There is an apparent desire to leave a grievance, but if the company cared what potential customers think, they would include a suggestion box and actively solicit comment. If they went out of their way not to have a contact, it means there is nothing say-able to them; even if you had access.
Choosing where you spend your money is 100% of the choice you have about what business practices to support. Nobody cares what you think, including companies you give your money to. Companies you don't give your money to don't really care about your opinion either.
If they already defrauded you successfully, a BBB report can assist the community, but don't expect the company to feel genuine remorse or to actually change their intent, even if they feel compelled to hire a lawyer and improve their EULA.
Re:Shop elsewhere... by __aaltlg1547 · 2014-12-28 07:17 · Score: 1

Bingo! This is your only real recourse. Also, change your password and if possible lock or delete your account with them.
Re: Shop elsewhere... by chicane · 2014-12-28 07:26 · Score: 1

DIstance Selling regulations in UK have been superceded by Consumer Contract Regulations as of 13th June 2014. it does not provide for a cooling off period for services where the consumer has agreed to provision of those services before completion of a minimum 7 day cooling period except where the provider has failed to provide information in accordance with the regulations.
more info see : http://www.which.co.uk/consume...
Re:Shop elsewhere... by Frosty+Piss · 2014-12-28 08:04 · Score: 1

Actually, that is a lot that you can do.
There may be a lot you could do if your time is not worth much and you like to be ignored... If these people were interested in security, they would not have this drop dead amature code issue. If their management does not care and their web guys do not care, you can bleat at them until we put a man on Mars, they will ignore you or worse, put the lawyers on you.
By the way, nobody pays attention to BBB ratings when shopping on-line (or anywhere else)
Just walk away.

--
If you want news from today, you have to come back tomorrow.
Re:Shop elsewhere... by CanadianMacFan · 2014-12-28 08:21 · Score: 1

If you can tell them why you are going to shop elsewhere. How are people going to change their practices if they don't know why they are losing business? It may not do any good telling them but not informing them definitely won't help their security practices.
Re:Shop elsewhere... by cdrudge · 2014-12-28 08:28 · Score: 1

While that helps prevent your credentials from being used on other sites successfully, that doesn't do much to protect your credit card information. If they are that lax and don't care about your user credentials, what makes you think they don't just store everything plain text in a database just waiting to be compromised?
Re: Shop elsewhere... by Anonymous+Brave+Guy · 2014-12-28 09:41 · Score: 1

There is some truth in that, but a lot depends on the exact circumstances. For example, in some cases, the default position is now that the provider musn't actually provide until the end of the 14 day cancellation window, and if you want to get around that then various explicit acknowledgements are required from the customer about immediate supply and giving up the right to cancel once provision has started. Moreover, if the provider gets any of this stuff wrong, the penalties can be heavily one-sided in favour of the customer. As usual, whether any of this actually matters depends a lot on whether the amount of money or other risks involved are significant enough to take meaningful action. Also, if we're talking about privacy/security/data protection concerns, the consumer protection rules might not be the most relevant part of the law anyway.
(I spent a significant part of this year taking legal advice about these changes, but I'm not a lawyer myself, so you shouldn't trust the above any more than any other random legal commentary you find on the Internet.)

--
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Re:Shop elsewhere... by CastrTroy · 2014-12-28 11:07 · Score: 1

This is why I usually use PayPal with smaller sites. Maybe they aren't the most secure, but it significantly reduces the number of places my credit card information is stored. And I'm pretty sure I'd hear about it if they had a breach, assuming anybody knew. If a smaller site had a breach, even if they found out about it and disclosed the information, I might not hear about it.

--

Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Re:Shop elsewhere... by Aighearach · 2014-12-28 14:12 · Score: 1

By the way, nobody pays attention to BBB ratings when shopping on-line (or anywhere else)
It can influence new business credit, and investment value. It is actually a big deal. It is certainly true that customers rarely check it.
Re: Shop elsewhere... by gnasher719 · 2014-12-28 22:47 · Score: 1

Linked article says you have the right to cancel the order any time from ordering, until seven days after the item arrives.
Re:Shop elsewhere... by david_thornley · 2014-12-29 10:45 · Score: 1

Credit card fraud really doesn't hurt you much, provided you keep an eye on your statements. If you see a fraudulent charge, dispute it and ask for a replacement card.

--
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Re:Shop elsewhere... by david_thornley · 2014-12-29 10:47 · Score: 1

There's a widespread belief that a good BBB rating means that the company pays enough money to the BBB. It's really not an independent ranking.

--
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Re:Shop elsewhere... by Aighearach · 2014-12-29 22:43 · Score: 1

A belief existing is not a convincing argument that it is correct, or even that it is widespread. Doesn't the tinfoil chafe?
Re:Shop elsewhere... by david_thornley · 2014-12-30 04:27 · Score: 1

You don't want tinfoil; there was an MIT study that found it concentrated certain wavelengths.
Contrast the BBB with Consumer Reports. Lots of people check the one that's independent of businesses, and few people check the one that's funded by businesses.

--
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Re:Shop elsewhere... by Aighearach · 2014-12-30 10:29 · Score: 1

Contrast the BBB with Consumer Reports. Lots of people check the one that's independent of businesses, and few people check the one that's funded by businesses.
I don't think anybody disputes that consumers check Consumer Reports and not the BBB. But a banker doesn't consult Consumer Reports at all when deciding on a business loan; they do check BBB. Also, a poor BBB rating increases the likelihood of fines if you're found to be out of compliance with some other (unrelated) regulation. As a business owner there are lots of reasons to care about the BBB rating, and numerous situations where a bad BBB rating that contains real complaints will screw you. If you are one of the people whose line of work causes you to sometimes read these things, you'll find that most businesses are willing to put significant effort into clearing complaints that can be cleared, and at least disputing ones that can't. If a business doesn't care about their BBB rating, it is a sign they either have captive customers, or aren't planning on being in business long-term. (aka "fly by night")

Name them and shame them... by Anonymous Coward · 2014-12-28 06:36 · Score: 1

...and then vote with your feet; shop elsewhere!

Please shame whomever it is by stonefoz · 2014-12-28 06:38 · Score: 3, Insightful

Please don't hide whom it is that I might accidentally do business with. Nothing is going to change just sending them an email, they may even go after you for doing so. However you may stop others from being suckered when their poor security becomes everyone else's problem. It's not their problem, it's going to be everyone else's.

First assumption is that there isn't somewhere that'll get broken. Everywhere probably will get successfully attacked at some point. Use a password manager. At least this way, when somewhere is broken, I'm sure that it's the only place where that password is used.

--
I think I just cashed out all my cool points.

Re:Please shame whomever it is by __aaltlg1547 · 2014-12-28 07:20 · Score: 1

And make sure that that password manager is only able to run locally and NEVER transfer your password file, even though it's encrypted, via a non-secure means. If you have it on a mobile device make sure your device settings prevent it from being uploaded to a server that you do not own.

So contact them anyways by cdwiegand · 2014-12-28 06:40 · Score: 1

Then contact them using their DomainsByProxy contact info. Yes, companies, lots of companies, use that, in order to have a level of privacy. That's OK - it still gets to them, you just don't have the contact details yourself. Contact them via email and they can see it just as much as if you had their direct email address. Either they care or they don't.

--
. Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.

Plain text e-mail... by nuckfuts · 2014-12-28 06:41 · Score: 4, Informative

has nothing to do with "poor SSL practices".

Re:Plain text e-mail... by jones_supa · 2014-12-28 06:52 · Score: 1

I think that was exactly his point: some of the benefits of having robust SSL are lost if the crucial details are afterwards transmitted through another cleartext channel.
Re:Plain text e-mail... by cheesybagel · 2014-12-28 07:07 · Score: 3, Insightful

IM networks are not safe either. Most of them use communications that are funneled in some way through some server or store client side message logs by default. A lot of them are not even encrypted at all.
Re: Plain text e-mail... by nuckfuts · 2014-12-28 07:19 · Score: 1

The email point wasnt about the email being plain text as much as them sending his chosen password in plain text, which means they store it in plain text...
They may or may not store his password as plain text. It's possible that the e-mail was generated dynamically when he entered his password in some form, while the password was in memory. They still might have used some kind of hash for permanent storage.
Re:Plain text e-mail... by damnbunni · 2014-12-28 13:44 · Score: 1

IM is a pain in the ass. Of any group of three people or more I want to send a message to, it's dead certain they're not all on the same IM network.
It's a nice theory, but it's nowhere near universal. Email is.
Re: Plain text e-mail... by Threni · 2014-12-29 01:04 · Score: 1

No, I have to remember which people won't reply to emails just like I have to remember which im network each person uses. Worse, some people do use email but only on their PC and not on their phone so replies can take hours or days. With im I know whether my "missed the train, so I'll be 30 mins late" message was read; they've no need to reply.
Re: Plain text e-mail... by damnbunni · 2014-12-29 01:20 · Score: 1

And I know people who use IMs on their PC but not their phone. An IM doesn't necessarily get read any faster than an email.
None of the IMs I've used will actually tell me a message is read. It'll let me know if it fails to deliver, but that doesn't mean Jim is actually at his desk and saw it.
I wasn't claiming there aren't uses for IMs.
My claim was that email isn't useless.
Not everyone's use case is the same as yours.
Re: Plain text e-mail... by Threni · 2014-12-29 07:47 · Score: 1

> None of the IMs I've used will actually tell me a message is read.
Modern ones will. Facebook Messenger and Hangouts, for instance.
Never said stuff'll get read faster on this or that system. Having an ongoing convesation consisting of single line comments over email is silly; the clients persist in showing you history or `click to expand` etc, and that's with a single person; forget having a 3 or 4 (or more) way conversation over email if you're remotely concerned about who's read what.
Re: Plain text e-mail... by EndlessNameless · 2014-12-29 10:42 · Score: 1

Storing authentication credentials in a retrievable form anywhere is stupid, even in memory. Kerberos has been around for decades, and it eliminates the need for a password to exist in memory as soon as it is hashed.
If Kerberos is not practical for a particular application, the same principles can be used in proprietary authentication mechanisms.
A plaintext password should never persist. Period. It is the result of a stupid decision somewhere, and we have known better for a long, long time.

--

---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.

How much time did you waste on this? by Anonymous Coward · 2014-12-28 06:44 · Score: 1

You are using unique passwords for all of your sites right, because that is good security practice. Also, if you think someone is reading your email you might want to stop using email because your provider must be insecure. Just about every site on the internet will let you reset your password (by giving you a key/link/password which are all the same thing) via email, the security of your email is the weak link in the chain.

Since when is using private registration something to bring out the pitchforks for? You are the same guy that would be arguing for that privacy if you worked for the company, which you don't. Go outside.

Re:How much time did you waste on this? by BarbaraHudson · 2014-12-28 07:22 · Score: 1

ince when is using private registration something to bring out the pitchforks for? You are the same guy that would be arguing for that privacy if you worked for the company, which you don't. Go outside.
Not the submitter, but I have no problem with requiring businesses to have a way of contacting them using valid registration info. Reputable businesses will want to be contacted when there's a problem, so they can fix it and STAY in business.
Eventually we're also going to have to have a way to verify people's online identities to help prevent frauds (Nigerian scams, etc) and abuse. People say things online that they wouldn't dream of saying in real life.

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Re:How much time did you waste on this? by Bert64 · 2014-12-28 12:34 · Score: 1

Not just unique passwords, also use unique email addresses (eg register your own domain and use an address which includes the site name), that way you will be able to tell if a company has a breach which results in your email address being leaked to third parties, or if they sell your address intentionally.
And a lack of easily available and valid business contact information is actually illegal in many countries...

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Re:How much time did you waste on this? by aminorex · 2014-12-29 03:30 · Score: 1

: People say things online that they wouldn't dream of saying in real life.
That is a good thing. If you lived in Uganda, your post would endanger your life, unless it were anonymous and untraceable.

--
-I like my women like I like my tea: green-

This is not a SSL matter by lucm · 2014-12-28 06:47 · Score: 4, Insightful

Your issue is apparently with them sending your password by email. This has nothing to do with SSL. Having a password stored in an inbox is bad for security reasons that have for the most part little to do with secure transport.

Can you reset it? If so, is it done on an HTTPS form? That's not ideal, but it's not immensely worse than those millions of websites that will send a "reset password link" by email.

I'm not saying their approach is fantastic, but I don't see reasons to get your panties in a bunch. If you are concerned with their email approach (which is not the same as "poor SSL practices") reply to that email (redacting your password), and if you're not happy with their answer or lack thereof, don't buy from them anymore. You don't need to Ask Slashdot for that.

--
lucm, indeed.

Re:This is not a SSL matter by Frosty+Piss · 2014-12-28 08:11 · Score: 1

Your issue is apparently with them sending your password by email... Can you reset it?
Many sites will auto-generate a password and send it to you (I don't like this), and you should always reset such passwords. Indeed, many sites that do this require you to reset on first log-in.
Always pay for on-line purchases with a credit card, as you can dispute fraudulent charges, and credit card companies have pretty decent fraud detection algorithms.
I know people here will not like this: Using a random pass on every site is not realistic for most people, but you could have permutations such as a decent password with prefix or suffix, or other ways to remember a system. It's only on-line shopping, if you use a credit card and get hacked, it's not the end of the world, dispute the charges and change your password.

--
If you want news from today, you have to come back tomorrow.
Re:This is not a SSL matter by Art+Challenor · 2014-12-28 09:31 · Score: 1

Actually, I would suspect that the greivence is to do with them having the plain text password at all. I recently requested a password reset from a self-described security vendor (anti-virus and similar) who then send, in a plain text e-mail the password itselft rather than a reset technique.
Re:This is not a SSL matter by umafuckit · 2014-12-28 10:55 · Score: 1

I used to have a magazine subscription which went via a third party service (IIRC) who would e-mail me my password each month along with my new edition notification. I contacted them about about it, they acknowledged the problem and two months later it was fixed. I still don't understand how someone can be so idiotic as to do this, but at least they responded and sorted their shit.

--
soylentnews.org
Re:This is not a SSL matter by F.Ultra · 2014-12-28 11:42 · Score: 2

Yes a reset link via mail is also bad, but sendinging the passowrord via mail indicates that the site does not use hashing and is storing all customers password in clear text in their databases.
Re: This is not a SSL matter by Bert64 · 2014-12-28 12:36 · Score: 1

Because very few SMTP servers *require* the use of SSL. Some will use SSL if available, but fall back to plain text otherwise, and also usually not check the certificate. Many mail servers still don't enable SSL at all and plain text email is frequently sent across the internet.

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Re:This is not a SSL matter by lucm · 2014-12-28 13:45 · Score: 5, Informative

Sometimes it comes from the kind of users the company deals with. It can be quite a struggle to deal with the public.
I experienced that again lately. I was working on a new system for a client, and we quickly found out that people not only forget their passwords, they also forget what email address they used to create their account (Gmail? Outlook? Isp? job email?). So they create an account, forget the password, come back a few days later, try to use a different email address, it's not found so they recreate an account, and then they change their settings or place orders, and then the next week they come back and login with the first email address they used, which is linked to the first account, so they get mad because their new settings or orders created in the 2nd account are "gone". You have no idea how often this happens. Some people have created 4 different accounts in a single month, and they keep randomly login using one or the other (resetting the password each time), and of course they complain about losing their settings.
So we added a tool for helpdesk to let them "merge" accounts when someone calls to complain about losing their settings. It helped a bit. We also tried to create a "duplicate matcher" in the login page (name/address/DOB/etc) but we did not have a lot of success with it. Believe it or not, our stats indicate that almost 15% of people make a typo when they enter their full name or DOB.
So we added a third-party login mechanism (FB, Google+, Yahoo, LinkedIn). This significantly reduced the number of calls about forgotten passwords (or more accurately, those calls were probably shifted to FB/Google/Yahoo/LinkedIn) but created another fuck-up option: people who create their account using their FB login, but then come back the next week and try to login without using the FB login button, trying instead to login with their email address and a password (which is probably their FB email and password anyways). Less people called to complain about forgotten passwords, instead they created even more accounts. There are people in the system with 4-5 logins, including FB, Google+ and 2-3 different email addresses.
So to fix this we added the "get connected" feature. Basically it's a page after the initial login where people can open a session to all their social networks and provide all their frequent email addresses. This way they can login with any of these. This helped a lot.
But still there was a lot of complaints about password reset links not working (users looking in the wrong inbox, or using Outlook aliases, or going back to a different email address and then seeing a password reset link and being pissed that it was obsolete). So we added a one-time password feature, which is sent by email or text message (and is matched to the specific browser session). This helped a lot too. But whenever we add a feature, people find more ways to do mistakes.
So next time you see a system that looks stupid, remember that the vast majority of users are probably people with little computer skills and no patience whatsoever for passwords and security. It does not excuse bad designs, but it puts things in perspective.

--
lucm, indeed.
Re:This is not a SSL matter by lucm · 2014-12-28 13:52 · Score: 1

Wrong. Between hashing and clear text there's a whole lot of encryption options.
There are situations where it's perfectly valid to store passwords in an encrypted format (as opposed to a hash). As an example, a lot of people use Keepass to store their billions of uid/pwd, and this is completely acceptable (as long as the master password is decent). There are also situations where systems integration must be performed without single sign-on. There are database connection strings, stored in config files. And plenty of other non-WTF situations where the password is reversible.

--
lucm, indeed.
Re:This is not a SSL matter by tepples · 2014-12-28 17:06 · Score: 1

So to fix this we added the "get connected" feature. Basically it's a page after the initial login where people can open a session to all their social networks and provide all their frequent email addresses. This way they can login with any of these. This helped a lot.
The Stack Exchange network has a similar feature. Each user can associate a Facebook account, an e-mail address and password, and multiple OpenID identifiers (Google, AOL, Ubuntu, etc.) to his Stack Exchange user account. The one thing I'm surprised they don't support is Twitter login.
Re:This is not a SSL matter by tepples · 2014-12-28 17:10 · Score: 1

There are also situations where systems integration must be performed without single sign-on.
And even with single sign-on, there are situations where a system participating in single sign-on needs to store a "client key" and "client secret" for something like OAuth.
Re: This is not a SSL matter by BronsCon · 2014-12-28 19:11 · Score: 1

Because when you connect to your mail server using SSL, it then turns around and passes it along to the next in plaintext.

--
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Re:This is not a SSL matter by F.Ultra · 2014-12-28 23:01 · Score: 1

If so then you have a faulty implementation and need to change it. If you store user passwords in any other way than a salt+hash then your entire userdatabase will be made public if compromised. Services like Keepass is different since each account is secured with the users master password which is not stored in the database. Databas connections inside your infrastructure should not pass along the end users password, ever.
Re: This is not a SSL matter by david_thornley · 2014-12-29 11:02 · Score: 1

Have you encountered a site savvy enough to email with encryption and dumb enough to email you a password as opposed to a secure link? I haven't.

--
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Re:This is not a SSL matter by lucm · 2014-12-29 13:12 · Score: 1

The one thing I'm surprised they don't support is Twitter login.
Have you tried it? It's horrible compared to the other providers. In my experience, ease of use of the authentication api is the following:
1) LinkedIn
2) Google+
3) Facebook
4) Windows Live
5) Yahoo
6) AWS Cognito
[...]
2147483647) Twitter
There are others players, like Mozilla Persona, Path, etc. but I haven't tried them.

--
lucm, indeed.
Re:This is not a SSL matter by lucm · 2014-12-29 13:38 · Score: 1

Duh. What you suggest shows a serious lack of experience because in many situations this can't be implemented, full stop. As an example, if one does not have access to single sign-on, it's basically impossible not to use passwords that are stored somewhere if more than one system must interact, unless they all support certificate authentication, which is not frequent. And in complex systems there's not always some dude waiting in front of a computer, ready to punch in a password to let a scheduled job run.
So until you have a better understanding of how things work in medium or large organizations (aka: real life), my advice is not to tell people that their implementation is faulty, or you will just show your inexperience. It's a good thing to know "best practices", but what will make you competent is being able to understand the concept of "right" practice. Until then you just sound like someone who spent time memorizing test material, which is of limited value.

--
lucm, indeed.
Re:This is not a SSL matter by F.Ultra · 2014-12-31 12:42 · Score: 1

You seam to talk about something complete different from what the article is about. This is about a web store storing end users passwords in clear text in their database, not your internal system for employees or what ever. For a web store there is no reason what so ever to use the customer provided password for anything other than authenticating the user for the web service, all other access deeper in the system should use credentials set up between these services.
And even for you set up there is no reason that some deep back end have to use the same password for user X than user X typed in when accessing the web service, if you must need per user passwords inside your system then let the system auto generated credentials upon account creation for b2b authentication.
Re: This is not a SSL matter by BronsCon · 2015-01-04 13:11 · Score: 1

And if the company's mail server passes mail over port 25 (where even Google doesn't support TLS or SSL)? You do realize this is the default for 90+% of mail servers, right?

--
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.

Don't shop there by jtara · 2014-12-28 06:52 · Score: 3, Insightful

Pretty simple: don't shop there.

You ignored multiple red flags, yet you are surprised when they email you your password? (Which, of course, as others have pointed-out, has nothing to do with SSL.)

Any one of these looses any company my business:

- Expired, non-matching, self-signed, localhost, example.com, etc. etc. SSL certificate
- Domain proxy registration (companies should not have "privacy")
- Hide contact information
- mailed me my password
- doesn't offer payment choices, only one payment type

Re:Don't shop there by jtara · 2014-12-28 11:14 · Score: 1

Actually, checking DNS records isn't the first thing I do, but I do if I am suspicious.
First thing is a simple Google search:
"XYZ scam"
Where "XYZ" is the company I am researching.
As well, I will trust Amazon and Ebay resellers with a good reputation.
If I have to deal with some unknown company, I will usually check them out to some degree. I've never been burned in terms of paying for a product that I didn't get, or getting something other than what I'd expected, getting a non-working product (that isn't quickly remedied) etc. but then I am a big chicken - I usually only order things from big online retailers with years of good reputation - Amazon (you can seldom beat their price, at least not by much), NewEgg, PC/Mac Connection, Grangier, etc.
What I have had happen on multiple occasions is that the company doesn't not actually have the product to ship. I don't know why this is so prevalent, maybe it is just some drop-ship operation, and they don't keep their records in order, no longer have a relationship, never did actually sell the product (for what purpose the product listing?) etc. To avoid wasting my time, I find it's best to avoid companies that hide from me. Funny how that works out...

Hacking by axlash · 2014-12-28 06:58 · Score: 2, Funny

If their security is so bad, you should be able to hack into their network.

Once you've done so, post the story of the hacking on the internet.

Nothing like public embarassment to make them clean up their security practices.

--
Deal with reality - the world as it is - rather than ideality - the world as you would like it to be.

Re:Hacking by gnasher719 · 2014-12-28 07:21 · Score: 2, Informative

If their security is so bad, you should be able to hack into their network.
Worst possible advice. There is the risk of jail time, There is severe risk of being taken to court for damages, which is expensive if you win, and really, really expensive if you lose. Which is likely if you hack into their network.

And anyway, what the OP described is blatant disrespect for the security of their customers. That doesn't mean their own stuff isn't protected.

More sites like this for banks ... by schwit1 · 2014-12-28 07:02 · Score: 1

These sites grade banks for online security
http://blog.codacy.com/2014/04...
https://deekayen.net/bank-ssl-...

3 Quick Fixes by BarbaraHudson · 2014-12-28 07:10 · Score: 4, Insightful

1. Name and shame them. Don't pussyfoot around. Worst-case scenario, you'll get their contact info when they act all butt-hurt and make empty threats to sue (for what, exactly? Negative online reviews are protected speech). Not just on "review sites", which often are "we will remove the negative review if you buy our services" scams (cf: Yelp), but sites that YOU use. People only go to these sites after the fact. They're worthless.

2. Change your password and see if they send you back the updated info in plaintext. If they do, it's not just ONE bug.

3. Shop elsewhere. Use sites recommended by people you know who have actually used them and had good experiences, not some $RANDOM_SITE_WITH_LOWEST_PRICE that may be some kid in a basement and his mom who don't have a clue. If they're the lowest price, it may be because they're skimping on things like security and not because they have bulk buying power.

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.

Re:3 Quick Fixes by heson · 2014-12-28 10:45 · Score: 1

Wrong order, FFS, change password now if you have not.

Dealing With Companies With Poor SSL Practices? by chihowa · 2014-12-28 07:21 · Score: 1

This one's easy: don't.

If they're not taking security seriously, that's a bad sign and you should reconsider giving them your personal information. If they're actively trying to hide their own contact information, that's a huge red flag and you'd be crazy to do business with them.

There's no need to overthink this. This is the internet equivalent of the shady guy selling Armani suits out of a stolen car (actually happened near me, recently). Just avoid shady businesses.

--
If you want a vision of the future, imagine a youtube comments section scrolling - forever.

Here's a start by russotto · 2014-12-28 07:29 · Score: 1

Don't redact their name. Name and shame. Then don't deal with them any more.

Become a tinfoil-helmet-wearing-minimalist by pigoon · 2014-12-28 07:43 · Score: 1

Works for the most of the posters here.

The sad part is they call a lot of the defacing "hacks" when the company has a digital equivalent of leaving customer data on their front porch with a neon sign saying "Free Credit Card w/SSN Here!"

The "security" we're calling for would be more accurately described as, "stop putting accountants in charge of IT security."
Change the mindset from Risk Management and cost control.

I wonder what the OP was buying that can't be found on amazon.com though?

Ask yourself by sjames · 2014-12-28 07:58 · Score: 1

What are the actual risks? Just how likely is it that someone will breech your email and what would the consequences be? What would you suggest as an alternative means of delivering both password and password changes?

Consider that if the lost password procedure involves email, then there is no security benefit to keeping passwords out of email (the key to getting a valid password is just as harmful as the actual password if it leaks).

Re:Ask yourself by elbles · 2014-12-28 08:29 · Score: 1

This times a lot. I'm not saying it's an ideal practice that this as-yet-unnamed vendor is doing, but I also don't view it as the end of the world either, particularly if no ultra-sensitive data is stored on the company's servers (i.e., credit card numbers, SSNs, etc.). In my eyes (admittedly not knowing all of the details), the biggest problem here may be that the vendor is storing passwords in plain text, which I can't quite fathom a reason for. At a bare minimum, they should be encrypted (which would not preclude the company from retrieving the clear text equivalent), but preferably hashed. You as a user may not be able to tell the difference between a company that stores passwords in plain text and one that actually e-mails them, but they're pretty close in levels of security, in my mind (and this is a very good reason for using a different password for every site, as has been suggested by many a Slashdotter).

There can be security benefit to a lost password procedure not involving e-mailing a password to a user though. The best ones I've seen e-mail a link back to the company's site containing some sort of token that proves you received the e-mail (at your registered address), and then prompt you to ask for the answers to one or more security questions that you configured when you first setup the account before you are prompted to enter/select a new password.

Security is a fundamentally hard problem, and while there have clearly been many SSL issues as of late, this is just not one of them.
Re:Ask yourself by sjames · 2014-12-28 17:15 · Score: 1

If they're storing the passwords in clear text, that's not good. However, they could be assigning random passwords and only storing the hash after they send it via email to the user. There's just not enough information to say.
Agreed that security questions in addition to the usual click lost password and they send you a unique URL to navigate to is a good idea and considerably improves the security of password recovery as long as the answers to the security questions aren't easy to determine from looking through the users email box.

Had a couple of companies email me passwords by CanadianMacFan · 2014-12-28 08:17 · Score: 1

Eventually started sending them a link to this write-up about Companies Mailing Passwords".

Re:Had a couple of companies email me passwords by Scryer · 2014-12-28 09:01 · Score: 2

And the author of that one *also* does not name the offending company.
Raising the issue in a vacuum is fruitless, because there's no general panacea for corporate security stupidity. Other users won't know until they receive their passwords in the mail that they've opened an account with a company that should be marked "Fail".
So mark them. Here's a good place to start, and the above blogger should have done it also. Otherwise you're just blowing off steam.

This is not poor SSL practice by Anonymous Coward · 2014-12-28 08:45 · Score: 1

You described something having to do with poor password practices. SSL has 0 to do with the subject at hand.

Don't get a new card---get a new acc't no. by Max+Hyre · 2014-12-28 09:56 · Score: 2

FWIW, I've read (too lazy to look up citation) that closing one CC account and opening another can hurt your credit score. Ask your issuer to assign your account a new number.

--
I refuse to believe corporations are people until Texas executes one. -- desert rain on http://www.dailykos.com/user/

Re:Don't get a new card---get a new acc't no. by davecb · 2014-12-28 11:32 · Score: 1

Amex will provide single-use numbers for untrustworthy vendors. They purportedly will also do single-vendor numbers, so if you give such a number to a particular vendor, anyone who steals it will have it bounce.
I've tried to confirm the latter, with no particular success.

--
davecb@spamcop.net

Name and shame... by Bert64 · 2014-12-28 12:27 · Score: 2

There really isn't much else you can do, publicise the bad companies so that those who do care can avoid them. Only if they start losing business will any company even consider doing anything about it.

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!

100 times this!!! by brunes69 · 2014-12-28 13:52 · Score: 2

It drives me bananas when people write posts like this and I see it online alll the time. Unless you care more about some corporation than your fellow consumer, NAME NAMES! There is essentially ZERO reason for a company to change practices other than bad PR, and you can't create that without naming them.

Re:100 times this!!! by Orestesx · 2014-12-28 15:04 · Score: 1

Not gonna happen. The brackets mean that the name of the site was removed by timothy. If the submitter is lying or mistaken, Slashdot could get in trouble for posting the name of the site. Because this is not journalism. There is no fact checking happening.
Re:100 times this!!! by GoddersUK · 2014-12-28 16:15 · Score: 1

It isn't hard to find the name of the company in question, though... http://slashdot.org/firehose.p...
Re:100 times this!!! by JWSmythe · 2014-12-28 19:27 · Score: 4, Informative

It looks like this is more of a competitor trying to sabotage them, rather than a legitimate complaint. Yes, Slashdot could have gotten in trouble for running it. Honestly, they should have seen it, did the difficult step of "Look at the site first" and realized it was a non-story.
He's bitching about not being able to contact the company, yet http://kahntools.com/contact-us
Address
6320 Canoga Ave. Suite 640
Woodland Hills, CA 91367
Phone
Office: (818) 884-7000
Toll Free: (855) 585-7500
Fax: (818) 530-4249
Hours of Operation
9:00 a.m. - 9:00 p.m. Eastern Time
Monday â Friday
Email
Customer Service: sales@kahntools.com
General Inquiries: support@kahntools.com
and I found separately through the magic of g00gle...
https://www.facebook.com/kahntools

--
Serious? Seriousness is well above my pay grade.
Re:100 times this!!! by JWSmythe · 2015-01-01 04:15 · Score: 1

That's you and me. I have something somewhat legitimate in there. I'm also sure you're aware that domain registrar information is rarely changed in a timely fashion, even though they're sending out the yearly reminders to make sure your information is right.
The whole registrar proxy thing is easy money for them. As I recall, they have verbage on the page that strongly recommends using it, implying it's for the safety of your domain.
I've frequently seen that the registration itself is handled by an accounting department, not by the IT department. When I was looking at their pages, it looked like they don't have an in-house IT department. It's probably a contracted web designer who maintains the page, and someone in-house (like accounting) manages the domain. By managed, I mean "pays the bill when it comes up for renewal".
Since it's frequently managed someone who will never check it, it's actually better to let the proxy service handle the contacts. They will (hopefully) update their billing info if there is a change, so the service knows who to send contacts to.

--
Serious? Seriousness is well above my pay grade.

Postal Letter to the CEO by DERoss · 2014-12-28 15:02 · Score: 1

When I have a problem dealing with a U.S. company over the Internet, I go to http://finance.yahoo.com/looku.... This site will tell me the names of the top executives and the corporate postal address of a company whose stock is publicly traded, even on the most obscure exchanges. If the company's stock is not publicly traded, I then resort to Google. Sooner or later -- yes, with some effort -- I find out who is in charge and where to mail a letter.

I compose a non-threatening, literate letter to the CEO or president of the company. I explain in layman's terms what is wrong and why I won't do business with them until the problem is fixed. While the executive likely does not even see my letter, someone in his or her office will see it -- someone who has authority to correct the situation. Occasionally, the situation is indeed fixed.

After sending the letter via the U.S. Postal Service, I wait about a week. Then, I create a Web page re-creating my letter. Yes, I name names. The situation might not be fixed, but the problem and the company are now public. I carry a significant level of liability insurance.

Even some techies don't grok SSL by twitnutttt · 2014-12-28 15:06 · Score: 1

I was a high-level consultant recently for a mid-sized startup with many thousands of users (including some celebrity types) and a platform that spanned web, mobile web, web service APIs, CDNs, and mobile apps.

I interfaced directly with the CEO, who was quite tech savvy. But every time we would get JSON, AJAX, or cross domain type problems, as I would be directing troubleshooting to fix things, he would go into the code and turn off SSL to fix them, and then say to me to get back to other work. I kept explaining to him that this was not the solution, that we needed to solve the actual issue(s) so we could run in SSL mode. He would say, "We can't risk having problems because of SSL. The site has to work."

I tried patiently explaining how the greatest risks were if we collected users' passwords without SSL and someone snooped and hacked or exposed our users, some of whom were quite prominent figures.

***He was convinced that you just couldn't run a platform such as ours with SSL and have it work.***

Finally, I drafted a short letter outlining the risks and potential financial and civil liabilities to the company of negligently not running SSL, and I asked him to sign and acknowledge that I had advised him of these things but that he was forbidding me to enable SSL. I politely explained that I was concerned about my professional reputation and liability as the company's technology advisor.

This made him cave, I devoted a short bit of time to fixing the underlying issues, and SSL worked perfectly from then on. He never had the guts to acknowledge that he had been wrong that SSL couldn't work.

Agreed, single-use numbers and Paypal FTW by billstewart · 2014-12-28 17:17 · Score: 1

That also reduces the ability of the company to coordinate your purchasing information (though your name and address are probably relatively unique, unless you also use single-use versions of those, like random apartment numbers for your house.)

Somebody else also recommended using PayPal for sites that you don't want to trust on a regular basis. Any place that you don't trust, or that you think might be lax about security, or that you're not planning to use repeatedly can get by with that.

--

Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks

Re:Agreed, single-use numbers and Paypal FTW by ultranova · 2014-12-28 23:51 · Score: 1

That also reduces the ability of the company to coordinate your purchasing information (though your name and address are probably relatively unique, unless you also use single-use versions of those, like random apartment numbers for your house.)

I smell a business opportunity for an anonymizing postal service! Go to their site to create a fake (but real-looking) address, give that to the shipper, and have the package delivered to your real address.

--
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Re:Agreed, single-use numbers and Paypal FTW by aminorex · 2014-12-29 03:25 · Score: 1

Use bitcoin.

--
-I like my women like I like my tea: green-

Re:Wtf by tepples · 2014-12-28 17:26 · Score: 1

whatever happened to: If you don't like the way a company does business, don't do business with them?

Monopolies happened. A lot of times, there are no compatible substitutes for a particular company's products or services despite the company's poor information security practices.

Prepare to leave the country by Antique+Geekmeister · 2014-12-28 19:17 · Score: 1

Exposing IT malfeasance can be _very_ dangerous, especially if you have a professional relationship with the company whose behavior you wish to expose. It leave you vulnerable not only to termination, but to vindictive lawsuits, "SLAPP" or "Strategic Lawsuits Against Public Participation", blacklisting, and even criminal activity. There have been some very famous cases of this, especially by governments for politically sensitive issues. The currently infamous case is Edward Snowden, but I've certainly seen it in the professional IT world. I've even had a manager try to call me and poison recommendations made by other staff in his office for a former employee. It was a fascinating case, since we did other business with that company.

Simple ! Never share personal info! by thedonofdons · 2014-12-28 21:48 · Score: 1

Never ever share personal and financial information on such websites! It's for your own good!
http://popularbloggingtopics.c...

Take your business elsewhere by YoungManKlaus · 2014-12-29 01:05 · Score: 1

and let them know the reason. Nothing gets companies moving faster than lost money.

email != unencrypted by lamber45 · 2014-12-29 02:29 · Score: 1

Since 2002, the STARTTLS extension to SMTP, RFC 3207, has been a standard. In this particular case, the vendor's domain appears to be hosted on Google Sites, so if the OP has a gmail account the message won't even leave Google's network until he picks up the message via HTTPS or SSL-secured IMAP.

I, for one, by mandark1967 · 2014-12-29 03:15 · Score: 1

welcome our "open-access" loving vendors. If I have sensitive information I want to remain secure, I make sure it's stored on Sony's servers

--
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain

Stupidest complaint ever by Havokmon · 2014-12-29 05:09 · Score: 1

So you created an account, were emailed the password, and that's it? THAT"S the problem? You never saved your payment information - which if you use Visa/MC you're 100% protected from fraudulent transactions. And an attacker would gain what? Knowledge of the sex toys you like?

Not even sure why I'm wasting time posting this.

Next time before you post stupidity, actually do a risk assessment. Too much 'security research' is concentrated on a single action, and people are having a REALLY hard time seeing the big picture (or the 'forest through the trees').

The reason they're not responding to you is because you're not worth their time. They have products to ship, and actual customer service to provide. They will have zero problem dropping a pain in the ass customer with minor complaints that they want to publicize for their own personal gain.

--
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)

Re:Stupidest complaint ever by MooseMiester · 2014-12-29 10:30 · Score: 1

Mod up 1,000,000

--
Murphy was an optimist

Banks, ATMs and email receipts by rleibman · 2014-12-30 10:48 · Score: 1

One of my biggest security peeves is the question at ATMs that wants to email me a receipt of my transaction! I would love it if my bank communicated with me that way, but not without me giving them a public encryption key first. Getting my balance and info sent to me by email sounds like the stupidest thing in the world... I'm really surprised no banking security experts have mentioned anything (I'm looking at you BofA)

Slashdot Mirror

Ask Slashdot: Dealing With Companies With Poor SSL Practices?

105 of 141 comments (clear)