Ask Slashdot: Dealing With Companies With Poor SSL Practices?

An anonymous reader writes Despite recent highly-publicized hacking incidents making the news, companies continue to practice poor cyber-security. I signed-up to buy something from [an online vendor] and upon completing signup through HTTPS, was sent my username and password in plain-text through e-mail. This company has done everything in its power to avoid being contacted for its poor technical practices, including using GoDaddy's Domains By Proxy to avoid having even WHOIS information for their webmaster's technical contact from being found. Given such egregious behavior, what do you do when you're left vulnerable by companies flagrantly violating good security practice?

Don't Do Business With Them

[TechyImmigrant]

EOM

Shop elsewhere...

[Frosty+Piss]

There really isn't much you can do about companies like this, except shop elsewhere. Sooner or later, they will have a breach, and the "security researchers" will have your credit card data.

Re:This is not a SSL matter

[lucm]

Sometimes it comes from the kind of users the company deals with. It can be quite a struggle to deal with the public.

I experienced that again lately. I was working on a new system for a client, and we quickly found out that people not only forget their passwords, they also forget what email address they used to create their account (Gmail? Outlook? Isp? job email?). So they create an account, forget the password, come back a few days later, try to use a different email address, it's not found so they recreate an account, and then they change their settings or place orders, and then the next week they come back and login with the first email address they used, which is linked to the first account, so they get mad because their new settings or orders created in the 2nd account are "gone". You have no idea how often this happens. Some people have created 4 different accounts in a single month, and they keep randomly login using one or the other (resetting the password each time), and of course they complain about losing their settings.

So we added a tool for helpdesk to let them "merge" accounts when someone calls to complain about losing their settings. It helped a bit. We also tried to create a "duplicate matcher" in the login page (name/address/DOB/etc) but we did not have a lot of success with it. Believe it or not, our stats indicate that almost 15% of people make a typo when they enter their full name or DOB.

So we added a third-party login mechanism (FB, Google+, Yahoo, LinkedIn). This significantly reduced the number of calls about forgotten passwords (or more accurately, those calls were probably shifted to FB/Google/Yahoo/LinkedIn) but created another fuck-up option: people who create their account using their FB login, but then come back the next week and try to login without using the FB login button, trying instead to login with their email address and a password (which is probably their FB email and password anyways). Less people called to complain about forgotten passwords, instead they created even more accounts. There are people in the system with 4-5 logins, including FB, Google+ and 2-3 different email addresses.

So to fix this we added the "get connected" feature. Basically it's a page after the initial login where people can open a session to all their social networks and provide all their frequent email addresses. This way they can login with any of these. This helped a lot.

But still there was a lot of complaints about password reset links not working (users looking in the wrong inbox, or using Outlook aliases, or going back to a different email address and then seeing a password reset link and being pissed that it was obsolete). So we added a one-time password feature, which is sent by email or text message (and is matched to the specific browser session). This helped a lot too. But whenever we add a feature, people find more ways to do mistakes.

So next time you see a system that looks stupid, remember that the vast majority of users are probably people with little computer skills and no patience whatsoever for passwords and security. It does not excuse bad designs, but it puts things in perspective.