Credit Monitoring vs. Credit Restoration: What's The Difference?
Sears Is Sued for Data Breach

Unsecure Sign-in Pages At Web Sites

In a prior post, I listed my personal data New Year's Resolutions for 2008. One of my resolutions is to contact companies I do business with online that have gaps in their data security. Earlier today I contact NetFlix about their customer sign-in page:

"I would like to inform you that the NetFlix Sign-In page is unsecured. That is, it is http:// when it should be https:// . This is very important since credit card information is attached to my account and to my sign-in information. The work-around I have used to-date has been to click the "Continue" button since your site currently serves up a secure (e.g., https://) Sign In Error page. Then I enter my sign-in information.

While I am generally a satisfied NetFlix customer, this unsecured sign-in page is a big problem. I blog about identity theft and I'd hate to see NetFlix get hit by hackers or identity thieves who might harvest customers' sign-in information from an unsecure sign-in page."

I also sent a similar e-mail to TypePad, the producer of this blogging software. TypePad has a similar problem with an unsecured Member Log-in page. You might want to check the web sites you sign into. While banks and financial institutions are good about providing secure sign-in pages, retailers don't seem to do as good a job.

Also, I've found that the web-savvy companies respond quickly to e-mail inquiries. We'll see how soon TypePad and NetFlix respond to my inquiry.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

George

Still no reply yet from NetFlix. The reply from Typepad Customer Service is listed below. They claim the data is sent securely. I think that most users, like me, would prefer to see an https log-in page since browsers render the secure lock symbol users look for. Typepad's reply to my inquiry:

From: "TypePad"
Sent: Tuesday, January 08, 2008 8:14 PM
Subject: Response to TypePad ticket 'Unsecure Member Log In page'

TypePad Customer Support has responded to your ticket 'Unsecure Member Log In page'. This email notification has been automatically sent by TypePad.

Hi George,

Thanks for the note. The TypePad login information is sent to the secure server and protected. Although the login page URL is http://, the application switches over to https to send your information. Therefore, you will end up with a secure weblog home page (https). You can verify this by viewing the HTML source of the login form.

All account information submitted via the Control Panel area of the application also uses SSL and the URL uses https://. I hope this helps. Please let us know if we may be of further assistance.

Thanks,
Melanie

Lou

Chase Credit Card is the same way, and they don't seem to care. I've emailed them and called them.

George

Lou:

My interim solution... at Typepad I click the "Log-in" button to submit a blank form. Their server responds with an HTTPS error page. Then I enter my log-in information into that secure HTTPS error page. I do something similar at Webshots and NetFlix.

rlwieneke

Webshots has dropped the secure sign in page.

The comments to this entry are closed.