By now, everyone is probably familiar with the “Click it or ticket” campaign, by the National Highway Traffic Safety Administration, with slogans like “Buckle up. It’s the law.”
We need something like that for the web…
It’s crazy how often I run across rather large sites not using HTTPS to protect sensitive data. Most recently, I was on the website of a rather popular vision care company, who is famous for the… crafting of lenses… if you know what I mean… The credentials were served by a page over HTTP and then passed to HTTPS for the actual account management portion. Not good…
Even though the actual account interactions are all happening within their HTTP-based web app, the initial login/registration was on an HTTP page. A simple man-in-the-middle attack would let you inject whatever extra content you want into that main page. At that point, harvesting the login credentials for yourself is quite simple. Though the site is fairly basic and (annoyingly, to me as a customer) doesn’t even offer basic features like checking the status of pending orders, there is still enough there for it to — at the very least — fall under the umbrella of HIPAA.
Thankfully, I won’t need to include screenshots demonstrating how this can be abused… The company in question (and its also-popular sister company) has now moved the website to full HTTPS. That’s good. But there are still countless sites out there that — for whatever reason — still don’t seem to see the need in making the switch to HTTPS. I don’t get it.
At this point, there’s almost no reason not to switch. Thanks to efforts like Let’s Encrypt, it’s now super-easy and free to get a certificate for your site. It’s a no-brainer, really. I just wish there was a better way of getting sites on board without having to resort to HTTP-shaming…