How can we force website owners and software developers to start using HTTPS? Coder Tony Webster believes shaming might be the right answer.
To that point, he created a website titled HTTP Shaming and has started posting examples. He was soon joined by others.
He says that the creation of the site was triggered by a OS X reinstall that reset his user firewall rules, and which allowed him to see how many apps he uses regularly send out unencrypted data.
“Anyone with network sniffing software can intercept traffic on open wireless networks, and if passwords and personal information is being sent, that attacker now has a lot of bad information that could be used to cause a lot of problems. It’s easy for software vendors to blame hardware vendors and for them to blame network operators, when in reality it’s everyone’s responsibility to provide security for their users,” he noted.
“We shouldn’t just be concerned about people stealing financial information, it’s become clear that employers and government agencies capture and analyze network traffic. We’ve known about these problems for a long time, and any company still using unencrypted, plaintext HTTP deserves some serious shaming.”
“A company intentionally using HTTP isn’t a vulnerability, it’s a systems design decision — and an obviously terrible one at that. If a company does implement SSL and it’s broken or not working, that might actually be a vulnerability,” he also pointed out, and added that in that case, responsible disclosure should be the way to go.
The website currently sports over two dozens examples, and some of the posts have already partially achieved their objective.
iStat Menus’ vendor Bjango said they will be discussing a change to the way information and updates are sent to and from users, and the company behind popular travel organization site TripIt, which was rebuked for using HTTP to send sensitive information (name, flight details, hotel reservations, etc.), has announced they are “working diligently to move cal(endar) feeds to HTTPS while minimizing disruption for users.”
UPDATE: “TripIt’s calendar feed has been updated, so we’re 100% HTTPS,” a spokesperson for the company informed me. “We’re reaching out to our customers to let them know about the updated calendar feeds.”