Appropriately named HTTP Shaming IDs apps and Web services operating without encryption.
by Robert Lemos
The amount of personal data traveling to and from the Internet has exploded, yet many applications and services continue to put user information at risk by not encrypting data sent over wireless networks. Software engineer Tony Webster has a classic solution—shame.
Webster decided to see if a little public humiliation could convince companies to better secure their customers’ information. On Saturday, the consultant created a website, HTTP Shaming, and began posting cases of insecure communications, calling out businesses that send their customers’ personal information to the Internet without encrypting it first.
One high-profile example includes well-liked travel-information firm TripIt. TripIt allows users to bring together information on their tickets, flight times, and itinerary and then sync it with other devices and share the information with friends and co-workers. Information shared with calendar applications, however, is not encrypted, Webster says, leaving it open to eavesdropping on public networks. Among the details that could be plucked from the air by anyone on the same wireless network: a user’s full name, phone number, e-mail address, the last four digits of a credit card number, and emergency contact information. An attacker could even change or cancel the victim’s flight, he says.
So far, TripIt and 18 other applications and services have made the shaming list, many submitted by other people fed up with the security missteps of companies, Webster says.
“I’ve kind of been overwhelmed in a sad but also in a good way with the number of submissions,” he says. “Some of them are fairly benign, but I’ve gotten some that are quite concerning to me, especially those that relate to financial details.”
Webster will not publish information on the more critical cases, opting instead to reach out first to the vendors, he says.
The lax security of mobile applications and Web services is nothing new. In July, application-management firm Appthority noted that about four out of every five mobile apps did something that put the user’s data at risk, including tracking location, collecting data on the user, and sending information to social networks or advertising affiliates. In January, a researcher at security firm ioActive found that 36 out of 40 banking applications had some unencrypted links.
Worse, many companies do not use the secure version of the Web protocol, known as HTTPS, to secure their data. Out of 2,100 mobile applications from 600 companies, 18 percent did not encrypt data communications, according to an HP research published in December 2013. In a separate study of the top-100 e-commerce sites, consultancy High-Tech Bridge found that 73 did not use HTTPS for non-critical data and only two stores required HTTPS usage for everyone who connected. In total, only 28 percent of the more than 150,000 websites surveyed by SSL Pulse got an “A” for their deployment of secure sockets layer (SSL), a key component of implementing HTTPS.
Those numbers are concerning, Webster says.
“It seems ridiculous to me that in 2014 we are still sending unencrypted data over the air,” he says. “And there is no reason, in my mind, why all websites and mobile apps should not be using HTTPS.”
Equally concerning to Webster is the lack of response from many of the companies he has contacted about the problems. He first contacted TripIt, for example, in November 2013 and did not get a response. Late on Monday, the company responded to a request for comment from Ars, answering the growing number of posts linked to its Twitter account.
“We’re working diligently to move our calendar feeds to HTTPS while minimizing disruption for our users,” a spokesperson said. “We take customer feedback very seriously and appreciate our users taking the time to reach out.”