It’s no secret that far too many online businesses cut security corners. Software engineer Tony Webster decided to make sure that it truly was no secret and did so by creating a site specifically designed to embarrass and shame such sites into tightening consumer data protections.
His site, called HTTP Shaming, talks about sites that are delivering inadequate security. First on his hit list? “Calling out businesses that send their customers’ personal information to the Internet without encrypting it first,” reported ARS Technica.
The publication cited a few especially intense examples. “One high-profile example includes well-liked travel-information firm TripIt. TripIt allows users to bring together information on their tickets, flight times, and itinerary and then sync it with other devices and share the information with friends and co-workers. Information shared with calendar applications, however, is not encrypted, Webster says, leaving it open to eavesdropping on public networks,” the story said. “Among the details that could be plucked from the air by anyone on the same wireless network: a user’s full name, phone number, e-mail address, the last four digits of a credit card number, and emergency contact information. An attacker could even change or cancel the victim’s flight.”
“It seems ridiculous to me that in 2014 we are still sending unencrypted data over the air,” Webster said. “And there is no reason, in my mind, why all websites and mobile apps should not be using HTTPS.”
The initial naughty list includes 19 applications and services, but new submissions could easily boost that number. Webster said that he “will not publish information on the more critical cases, opting instead to reach out first to the vendors,” the story reported.