14 DAY TRIAL // By creating a Tumblr blog specifically for revealing businesses' insecure communication with their customers, a software engineer hopes to raise awareness about the importance of encrypted exchange of information and the dangers that come without it.
Software engineer Tony Webster launched HTTPS Shaming, a website dedicated for humiliating the companies that send sensitive information to their customers in an insecure manner.
Created over the weekend, the site is already filled with examples of companies delivering their services/products to their customers without encrypting it first.
For all users to understand why HTTPS is so important, the engineers also makes available scenarios, which most of the times would put the customer at great risk.
The list of examples starts with Bjango iStat Menus for Mac, revealing that the details sent to the developer through an unencrypted connection contain version of the application, hardware and operating system details. In return, the download path of the latest build is received.
And such examples are quite often on HTTPS Shaming, including applications used in some cases by millions of users.
However, one of the most prominent examples is TripIt, who sends travel details to calendar feeds and which could be easily sniffed with a network tool.
Information like travel plans, names, trip summaries, flight details, hotel reservations, train bookings or rental car details are all flying over the web with no protection whatsoever.
Regardless of the case, the risk of sending plain text data over the web is obvious, especially in the case of mobile devices, which can hook to WiFi spots (most often public), allowing an attacker to intercept the traffic and read all the details unrestrictedly.
Eavesdropping over the network is neither a new technique, nor a complicated one, and anyone with a couple of brain cells can do it without too much effort.
Webster also found log-in details to be delivered via the insecure HTTP, which could lead to attackers positioned between the client and the server (an open WiFi network) being able to steal the credentials.
Among the websites revealed by the Webster to provide insecure log-in, there are Scribd, Meetup and BarBri exam preparation provider.
Even delivery of software working with sensitive details should be done via an encrypted connection, in order to eliminate the risk of a perpetrator seeping in a tampered version of the product.
In this day and age, there is so much information flowing over the Internet that it is almost impossible to know what can be used by cybercriminals to gain access to more sensitive details leading to losses of all sorts, not just financial.