The web trying to improve data security

August 19, 2014 |

The quality and quantity of data security by organisations in Australia is, anectodally, quite poor.  The common law and statutory regulation remain inadequate in changing the attitude of organisations to take the appropriate technological and cultural steps to properly protect personal information.  Given the potential reputational consequences of data breaches as well as the liability issues one would have thought having adequate data protection systems would proper business practice.  There may be costs involved but generally not that significant.  Encrypting personal information is a good and relatively cheap first step.

Data insecurity is bad for the web. And that seems to have inspired HTTP Shaming, a blog to identify and embarrass inadequate security systems.  The Age covers it in Web fights back against poor security.

It provides:

The web is fighting back against websites and apps that do not use encryption.

Such services are considered to have good security when they implement a technology known as Transport Layer Security or Secure Sockets Layer (SSL), which encrypts traffic between an end user and the site. Google, Twitter, Facebook and banks are good examples of this practice.

But many apps and sites implement it incorrectly or do not use it at all, leaving personal information at risk of being seen over unsecured connections, like public Wi-Fi. In such cases, a hacker using “sniffing” tools is able to snoop on the traffic, steal personal information and use it to hack into your online accounts.

Enter HTTP Shaming, a Tumblr blog launched at the weekend that is naming and shaming websites and apps that are not doing the right thing by their users.

 Created by US software engineer Tony Webster, the site already lists a number of popular websites and apps that are not doing encryption properly, including Tripit, Scribd and Meetup.

Mr Webster is hoping that highlighting poor security in services will result in their owners implementing better security. The engineer is also taking submissions for the blog from members of the public.

“When that traffic goes over an open Wi-Fi network, it’s not encrypted unless the website or app is using SSL,” Mr Webster said. SSL is displayed as the “s” in https before a web address and is typically accompanied by a golden padlock, but this is not displayed as a symbol in apps on smartphones.

“Anyone with network sniffing software can intercept traffic on open wireless networks and, if passwords and personal information is being sent, that attacker now has a lot of … information that could be used to cause a lot of problems,” Mr Webster said.

At the end of the day, he said it was “so easy” to implement encryption that web services should be doing it for the privacy of their users.

“I bet it will take less time to implement SSL [encryption] than it will take to argue with someone you’ve never met on the internet,” he joked.

Implementing encryption for an app or website generally requires a company to buy an SSL certificate, which can cost as little as $5. It then requires administrators to install it onto their web server and integrate it correctly with their website or app’s source code, which requires some time.

Australian security researcher Troy Hunt said HTTP Shaming reminded him of another website,, which has accused a number of government agencies, companies and others of storing their users’ passwords in plain text without encryption.

Launched three years ago, has shamed several hundred sites, including Pizza HutThe Good GuysKennardsA03Australia ITMoshtixBigPond and the Australian Taxation Office.

“We’re tired of websites abusing our trust and storing our passwords in plaintext, exposing us to danger. Here we put websites we believe to be practising this to shame,” the site states.

Chris Gatford, director of Sydney IT security firm HackLabs, said the HTTP Shaming blog was a “great idea” for securing the web.

“Unfortunately pointing out issues in a public way often is the only way to get a company to take action and make a change,” he said.

Independent Australian security researcher Nik Cubrilovic, of Wollongong, agreed.

“Moving the web to [encryption] by default is long overdue,” he said. “With users being more connected from more devices using more networks than ever (think shopping centre Wi-Fi), the risk has never been higher. The threat is not just personal information exposed but information over the wire in the clear includes your session cookies and network profiling data.”

Sessions cookies – temporary files that keep you logged into a website or app – can be used to hijack your web session with a service. So even if a hacker was not sniffing a connection at the time you logged in to grab your credentials, they can still log into the site you are on as you if they capture your session cookie, as was demonstrated with a simple browser plug-in in 2010.

Mr Cubrilovic also pointed to a recent decision by Google to prioritise websites that use encryption in search results.

“Shaming remaining sites to move [to encryption] is the latest step [to secure the web],” he said.

Mr Hunt said he saw no legal repercussions with sites like HTTP Shaming.

“I see no adverse legal outcome from this, it’s merely observing the obvious and the site serves more as a ‘name and shame’ than it does as a resource for attackers who would still need to mount a ‘man in the middle attack’ in order to take advantage of the risk,” he said.

“Where I believe the site is doing a good service is bringing insufficient implementations of HTTPS to light. I very frequently see cases like this where the site has been concerned enough to purchase an SSL certificate, enable it on the site and implement the code to use it, but by doing so improperly they render it nearly useless.”

He recently highlighted on his blog a number of sites he found were implementing SSL incorrectly, including Woolworths, GoDaddy, Pandora and the Financial Times.

Mr Hunt also singled out poor encryption in Hoyts’ mobile site in a separate post. Several days later, he updated the post saying Hoyts had fixed the issue.




One Response to “The web trying to improve data security”

  1. The web trying to improve data security | Australian Law Blogs

    […] The web trying to improve data security […]

Leave a Reply