Unsecure Sign-in Pages At Web Sites
Tuesday, January 08, 2008
In a prior post, I listed my personal data New Year's Resolutions for 2008. One of my resolutions is to contact companies I do business with online that have gaps in their data security. Earlier today I contact NetFlix about their customer sign-in page:
"I would like to inform you that the NetFlix Sign-In page is unsecured. That is, it is http:// when it should be https:// . This is very important since credit card information is attached to my account and to my sign-in information. The work-around I have used to-date has been to click the "Continue" button since your site currently serves up a secure (e.g., https://) Sign In Error page. Then I enter my sign-in information.
While I am generally a satisfied NetFlix customer, this unsecured sign-in page is a big problem. I blog about identity theft and I'd hate to see NetFlix get hit by hackers or identity thieves who might harvest customers' sign-in information from an unsecure sign-in page."
I also sent a similar e-mail to TypePad, the producer of this blogging software. TypePad has a similar problem with an unsecured Member Log-in page. You might want to check the web sites you sign into. While banks and financial institutions are good about providing secure sign-in pages, retailers don't seem to do as good a job.
Also, I've found that the web-savvy companies respond quickly to e-mail inquiries. We'll see how soon TypePad and NetFlix respond to my inquiry.
Still no reply yet from NetFlix. The reply from Typepad Customer Service is listed below. They claim the data is sent securely. I think that most users, like me, would prefer to see an https log-in page since browsers render the secure lock symbol users look for. Typepad's reply to my inquiry:
From: "TypePad"
Sent: Tuesday, January 08, 2008 8:14 PM
Subject: Response to TypePad ticket 'Unsecure Member Log In page'
TypePad Customer Support has responded to your ticket 'Unsecure Member Log In page'. This email notification has been automatically sent by TypePad.
Hi George,
Thanks for the note. The TypePad login information is sent to the secure server and protected. Although the login page URL is http://, the application switches over to https to send your information. Therefore, you will end up with a secure weblog home page (https). You can verify this by viewing the HTML source of the login form.
All account information submitted via the Control Panel area of the application also uses SSL and the URL uses https://. I hope this helps. Please let us know if we may be of further assistance.
Thanks,
Melanie
Posted by: George | Wednesday, January 09, 2008 at 11:13 AM
Chase Credit Card is the same way, and they don't seem to care. I've emailed them and called them.
Posted by: Lou | Sunday, March 09, 2008 at 04:23 PM
Lou:
My interim solution... at Typepad I click the "Log-in" button to submit a blank form. Their server responds with an HTTPS error page. Then I enter my log-in information into that secure HTTPS error page. I do something similar at Webshots and NetFlix.
Posted by: George | Sunday, March 09, 2008 at 07:11 PM
Webshots has dropped the secure sign in page.
Posted by: rlwieneke | Saturday, September 18, 2010 at 01:20 AM