- Dec 30, 2012
- 4,809
Appropriately named HTTP Shaming IDs apps and Web services operating without encryption.
The amount of personal data traveling to and from the Internet has exploded, yet many applications and services continue to put user information at risk by not encrypting data sent over wireless networks. Software engineer Tony Webster has a classic solution—shame.
Webster decided to see if a little public humiliation could convince companies to better secure their customers' information. On Saturday, the consultant created a website, HTTP Shaming, and began posting cases of insecure communications, calling out businesses that send their customers' personal information to the Internet without encrypting it first.
One high-profile example includes well-liked travel-information firm TripIt. TripIt allows users to bring together information on their tickets, flight times, and itinerary and then sync it with other devices and share the information with friends and co-workers. Information shared with calendar applications, however, is not encrypted, Webster says, leaving it open to eavesdropping on public networks. Among the details that could be plucked from the air by anyone on the same wireless network: a user's full name, phone number, e-mail address, the last four digits of a credit card number, and emergency contact information. An attacker could even change or cancel the victim's flight, he says.
So far, TripIt and 18 other applications and services have made the shaming list, many submitted by other people fed up with the security missteps of companies, Webster says.
"I've kind of been overwhelmed in a sad but also in a good way with the number of submissions," he says. "Some of them are fairly benign, but I've gotten some that are quite concerning to me, especially those that relate to financial details."
Further Reading
The amount of personal data traveling to and from the Internet has exploded, yet many applications and services continue to put user information at risk by not encrypting data sent over wireless networks. Software engineer Tony Webster has a classic solution—shame.
Webster decided to see if a little public humiliation could convince companies to better secure their customers' information. On Saturday, the consultant created a website, HTTP Shaming, and began posting cases of insecure communications, calling out businesses that send their customers' personal information to the Internet without encrypting it first.
One high-profile example includes well-liked travel-information firm TripIt. TripIt allows users to bring together information on their tickets, flight times, and itinerary and then sync it with other devices and share the information with friends and co-workers. Information shared with calendar applications, however, is not encrypted, Webster says, leaving it open to eavesdropping on public networks. Among the details that could be plucked from the air by anyone on the same wireless network: a user's full name, phone number, e-mail address, the last four digits of a credit card number, and emergency contact information. An attacker could even change or cancel the victim's flight, he says.
So far, TripIt and 18 other applications and services have made the shaming list, many submitted by other people fed up with the security missteps of companies, Webster says.
"I've kind of been overwhelmed in a sad but also in a good way with the number of submissions," he says. "Some of them are fairly benign, but I've gotten some that are quite concerning to me, especially those that relate to financial details."
Further Reading
