Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Dealing With Companies With Poor SSL Practices?

Posted by timothy on from the stochastic-protection dept.

An anonymous reader writes Despite recent highly-publicized hacking incidents making the news, companies continue to practice poor cyber-security. I signed-up to buy something from [an online vendor] and upon completing signup through HTTPS, was sent my username and password in plain-text through e-mail. This company has done everything in its power to avoid being contacted for its poor technical practices, including using GoDaddy's Domains By Proxy to avoid having even WHOIS information for their webmaster's technical contact from being found. Given such egregious behavior, what do you do when you're left vulnerable by companies flagrantly violating good security practice?

7 of 141 comments (clear)

  1. Don't Do Business With Them by TechyImmigrant · · Score: 5, Insightful

    EOM

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  2. Shop elsewhere... by Frosty+Piss · · Score: 5, Insightful

    There really isn't much you can do about companies like this, except shop elsewhere. Sooner or later, they will have a breach, and the "security researchers" will have your credit card data.

    --
    If you want news from today, you have to come back tomorrow.
  3. Plain text e-mail... by nuckfuts · · Score: 4, Informative

    has nothing to do with "poor SSL practices".

  4. This is not a SSL matter by lucm · · Score: 4, Insightful

    Your issue is apparently with them sending your password by email. This has nothing to do with SSL. Having a password stored in an inbox is bad for security reasons that have for the most part little to do with secure transport.

    Can you reset it? If so, is it done on an HTTPS form? That's not ideal, but it's not immensely worse than those millions of websites that will send a "reset password link" by email.

    I'm not saying their approach is fantastic, but I don't see reasons to get your panties in a bunch. If you are concerned with their email approach (which is not the same as "poor SSL practices") reply to that email (redacting your password), and if you're not happy with their answer or lack thereof, don't buy from them anymore. You don't need to Ask Slashdot for that.

    --
    lucm, indeed.
    1. Re:This is not a SSL matter by lucm · · Score: 5, Informative

      Sometimes it comes from the kind of users the company deals with. It can be quite a struggle to deal with the public.

      I experienced that again lately. I was working on a new system for a client, and we quickly found out that people not only forget their passwords, they also forget what email address they used to create their account (Gmail? Outlook? Isp? job email?). So they create an account, forget the password, come back a few days later, try to use a different email address, it's not found so they recreate an account, and then they change their settings or place orders, and then the next week they come back and login with the first email address they used, which is linked to the first account, so they get mad because their new settings or orders created in the 2nd account are "gone". You have no idea how often this happens. Some people have created 4 different accounts in a single month, and they keep randomly login using one or the other (resetting the password each time), and of course they complain about losing their settings.

      So we added a tool for helpdesk to let them "merge" accounts when someone calls to complain about losing their settings. It helped a bit. We also tried to create a "duplicate matcher" in the login page (name/address/DOB/etc) but we did not have a lot of success with it. Believe it or not, our stats indicate that almost 15% of people make a typo when they enter their full name or DOB.

      So we added a third-party login mechanism (FB, Google+, Yahoo, LinkedIn). This significantly reduced the number of calls about forgotten passwords (or more accurately, those calls were probably shifted to FB/Google/Yahoo/LinkedIn) but created another fuck-up option: people who create their account using their FB login, but then come back the next week and try to login without using the FB login button, trying instead to login with their email address and a password (which is probably their FB email and password anyways). Less people called to complain about forgotten passwords, instead they created even more accounts. There are people in the system with 4-5 logins, including FB, Google+ and 2-3 different email addresses.

      So to fix this we added the "get connected" feature. Basically it's a page after the initial login where people can open a session to all their social networks and provide all their frequent email addresses. This way they can login with any of these. This helped a lot.

      But still there was a lot of complaints about password reset links not working (users looking in the wrong inbox, or using Outlook aliases, or going back to a different email address and then seeing a password reset link and being pissed that it was obsolete). So we added a one-time password feature, which is sent by email or text message (and is matched to the specific browser session). This helped a lot too. But whenever we add a feature, people find more ways to do mistakes.

      So next time you see a system that looks stupid, remember that the vast majority of users are probably people with little computer skills and no patience whatsoever for passwords and security. It does not excuse bad designs, but it puts things in perspective.

      --
      lucm, indeed.
  5. 3 Quick Fixes by BarbaraHudson · · Score: 4, Insightful

    1. Name and shame them. Don't pussyfoot around. Worst-case scenario, you'll get their contact info when they act all butt-hurt and make empty threats to sue (for what, exactly? Negative online reviews are protected speech). Not just on "review sites", which often are "we will remove the negative review if you buy our services" scams (cf: Yelp), but sites that YOU use. People only go to these sites after the fact. They're worthless.

    2. Change your password and see if they send you back the updated info in plaintext. If they do, it's not just ONE bug.

    3. Shop elsewhere. Use sites recommended by people you know who have actually used them and had good experiences, not some $RANDOM_SITE_WITH_LOWEST_PRICE that may be some kid in a basement and his mom who don't have a clue. If they're the lowest price, it may be because they're skimping on things like security and not because they have bulk buying power.

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  6. Re:100 times this!!! by JWSmythe · · Score: 4, Informative

        It looks like this is more of a competitor trying to sabotage them, rather than a legitimate complaint. Yes, Slashdot could have gotten in trouble for running it. Honestly, they should have seen it, did the difficult step of "Look at the site first" and realized it was a non-story.

        He's bitching about not being able to contact the company, yet http://kahntools.com/contact-us

    Address
    6320 Canoga Ave. Suite 640
    Woodland Hills, CA 91367

    Phone
    Office: (818) 884-7000
    Toll Free: (855) 585-7500
    Fax: (818) 530-4249

    Hours of Operation
    9:00 a.m. - 9:00 p.m. Eastern Time
    Monday â Friday

    Email
    Customer Service: sales@kahntools.com
    General Inquiries: support@kahntools.com

    and I found separately through the magic of g00gle...

    https://www.facebook.com/kahntools

    --
    Serious? Seriousness is well above my pay grade.