There are several companies that haven’t been HTTP Shamed, but have been sent responsible disclosures to err on the side of protecting users.SafeInCloud is a simple and practical macOS application specially designed to help you store, edit, manager and organize all your accounts and passwords with ease. There are two companies at present that have reached out to let us know they’re fixing the issues, but asked that we not publish their timeline, which we will of course honor. If all companies handled things like this one, shaming wouldn’t be necessary.
I plan to write about this one, if only to thank them for their reaction and communication – this basically never happens.
They acknowledged our GPG-encrypted email report within hours, followed-up with their action plan, and they’re actively working to resolve the issues. An unnamed website that was never posted on HTTP Shaming had a readily-available responsible disclosure policy with a direct security contact and a GPG public key – which is the way to a security researcher’s heart and a great way not to be shamed.They still are loading HTTPS iframes on an HTTP site which presents a few problems as highlighted in the post, but that’s a much less severe issue that we’ll hope they resolve soon. But, we don’t need an admission, just a fix - and a fix happened. While they claim to have always had HTTPS iframes on an HTTP site, Wireshark told a different story. À la Carte Express is a food delivery service in Montréal that was accepting credit cards over unsecured HTTP.Still, their work to fix this right away is much appreciated. 1Password immediately moved the site to HTTP and their next extension release will have the button directly loading HTTPS. 1Password is a leader in security practices, and this was incredibly minor (you’re already screwed if your browser has been tampered with). But, if Chrome was mid-update, 1Password would display a dialog box with a troubleshooting link that brought users to an HTTP page that could be forged with malicious user instruction. 1Password’s Chrome extension checks Chrome’s browser signature to make sure it hasn’t been changed before allowing passwords to automatically flow in – which is fantastic.They’ve finished changing to run entirely on HTTPS.
SAFEINCLOUD CHROME PASSWORD
Safe In Cloud is a password manager with a website on an HTTP site, serving downloads over HTTP.Scribd has fixed that and is now all-SSL, so everything across the entire site is encrypted. Scribd wasn’t using HTTPS for any login, account creation, or account maintenance pages and passwords were being sent in the clear.This is a fantastic resolution, and a huge thanks to the TripIt team! They’ve applied fixes already, will be completing a migration to all-HTTPS within weeks, and will be adding direct security contact information on their website in the near future, I’m told. TripIt wasn’t using HTTPS in calendar feeds, and it was exposing detailed travel information insecurely.We know security is hard, and we truly appreciate their hard work to protect user data. Please consider sending a note of thanks to the following companies and organizations. HTTP Shaming works! The following is a list of websites and applications that HTTP Shaming has featured, but have since fixed or corrected the identified problems.
0 kommentar(er)
