Websites uses passwords NO SSL Encryption

GrewUS

Hello all, I am not a very tech/secuirty savy person but I am using a website for a local service in my area which uses passwords the site does not use ssl and is not encryped this concerns me. Should I talk to them about my concerns? A host of other information would be stored in the accounts section name, address, DOB, phone number etc

28064212

I'd delete your account, remove everything you can from it, and send a complaint in, mentioning that you won't use their site until they get proper security. Capturing non-SSL traffic (including your password) is trivial

Professey Chin

Its disturbing how many sites still dont use it. Saw a site a while ago looking for credit card details on a standard http page

Khannie

The information may be submitted over HTTPS from a HTTP page (e.g. like the boards.ie home page with the login banner up the top right).

What's the site?

GrewUS

Khannie wrote: »

The information may be submitted over HTTPS from a HTTP page (e.g. like the boards.ie home page with the login banner up the top right).

What's the site?

It's my local golf course so don't want to share the link. Have ran a test on a site that detects SSL cents and the site has no encryption. Main concern is I use the same password for many many other websites. Also the information on the account could be used for other mallious purposes

Khannie

GrewUS wrote: »

It's my local golf course

Ah right. That explains everything, so.

GrewUS

Khannie wrote: »

Ah right. That explains everything, so.

Still not good enough for a club with a thousand members....

Khannie

I agree, but trying to change anything based on security concerns at a golf club level is going to be pissing against the wind, tbh.

gctest50

They should tidy that up, every little bit helps these days.

I had a look at it - lucky its far from my thing disrupting things and grabbing info

AnCatDubh

GrewUS wrote: »

Main concern is I use the same password for many many other websites.

Always worthy to salt your life-passwords with something variable - even something from the site itself - saves on automated crap happening if their site is compromised.

CathalC2011

GrewUS wrote: »

Still not good enough for a club with a thousand members....

Realistically, nobody's gonna be sitting in the lobby sniffing passwords all day. Then again, SSL is dirt cheap to have verified.

Kinet1c

CathalC2011 wrote: »

Realistically, nobody's gonna be sitting in the lobby sniffing passwords all day. Then again, SSL is dirt cheap to have verified.

Perhaps I'm reading your response wrong... or even the OP but from my understanding this is a public facing website and not an intranet based site. If so, you don't need to be in there lobby.

CathalC2011

Kinet1c wrote: »

Perhaps I'm reading your response wrong... or even the OP but from my understanding this is a public facing website and not an intranet based site. If so, you don't need to be in there lobby.

You read it right - I just misunderstood. Yah OP get on to them.

Off topic, does internet traffic apply under the DPA's "collection and processing of personal data"? I've been wondering that for a while.

industrialhorse

CathalC2011 wrote: »

You read it right - I just misunderstood. Yah OP get on to them.

Off topic, does internet traffic apply under the DPA's "collection and processing of personal data"? I've been wondering that for a while.

http://www.dataprotection.ie/docs/Guidance_Note_on_Data_Protection_in_the_Electronic_Communica/1152.htm#5a


5. Traffic Data

5a. Retention

The Regulations provide that "traffic data" – details of the calls, emails, text messages, fax messages, internet access via an IP address made by subscribers (excluding content) – may only be retained by the service provider for as long as necessary to enable bills and telecommunications providers interconnect payments to be settled and to meet specific legal requirements.

In applying this rule in practice, electronic communications service providers should be mindful of the strong privacy impact of logging such details. They should only store such privacy-sensitive data for a limited period to enable routine billing queries to be addressed, to satisfy the obligations in interconnect agreements and to meet legal requirements (notably the retention obligations set out in the Communications (Retention of Data) Act 2011.

Details of traffic data relating to subscribers should not routinely be kept for longer periods. However, it is permissible to retain such data for longer periods if –

- the particular subscriber has queried his or her bill, and the data need to be retained to enable the query or dispute to be resolved
- there is some other legitimate reason to believe that a query or dispute is likely to arise in a particular case

5b. Itemised Bills

Subscribers also have the right not to receive detailed itemised bills, if they wish, as an extra step to safeguard their privacy.

5c. Use of Traffic Data

Prior consent is required if a service provider wishes to use traffic data for the purpose of marketing its own electronic communication services or for the provision of value added services. The subscriber must be informed in advance of the types of traffic data to be used, how long it will be used for and be given the possibility to withdraw at any time the consent they may have given for the use of their traffic data. A user must be informed of the means by which they can withdraw their consent.