Coder tries shaming apps and site owners into using HTTPS
Posted on 19 August 2014.
How can we force website owners and software developers to start using HTTPS? Coder Tony Webster believes shaming might be the right answer.

To that point, he created a website titled HTTP Shaming and has started posting examples. He was soon joined by others.

He says that the creation of the site was triggered by a OS X reinstall that reset his user firewall rules, and which allowed him to see how many apps he uses regularly send out unencrypted data.

"Anyone with network sniffing software can intercept traffic on open wireless networks, and if passwords and personal information is being sent, that attacker now has a lot of bad information that could be used to cause a lot of problems. Itís easy for software vendors to blame hardware vendors and for them to blame network operators, when in reality itís everyoneís responsibility to provide security for their users," he noted.

"We shouldnít just be concerned about people stealing financial information, itís become clear that employers and government agencies capture and analyze network traffic. Weíve known about these problems for a long time, and any company still using unencrypted, plaintext HTTP deserves some serious shaming."

"A company intentionally using HTTP isnít a vulnerability, itís a systems design decision ó and an obviously terrible one at that. If a company does implement SSL and itís broken or not working, that might actually be a vulnerability," he also pointed out, and added that in that case, responsible disclosure should be the way to go.

The website currently sports over two dozens examples, and some of the posts have already partially achieved their objective.

iStat Menus' vendor Bjango said they will be discussing a change to the way information and updates are sent to and from users, and the company behind popular travel organization site TripIt, which was rebuked for using HTTP to send sensitive information (name, flight details, hotel reservations, etc.), has announced they are "working diligently to move cal(endar) feeds to HTTPS while minimizing disruption for users.Ē

UPDATE: "TripIt's calendar feed has been updated, so we're 100% HTTPS," a spokesperson for the company informed me. "Weíre reaching out to our customers to let them know about the updated calendar feeds."


More than 900 embedded devices share hard-coded certs, SSH host keys

SEC Consult analyzed firmware images of more than 4000 embedded devices of over 70 vendors and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Nov 26th