What is the deal with not using HTTPS?

If you are running an enterprise application that authenticates a user for any reason, YOU NEED TO USE HTTPS! I’ve been irked lately by the large number of companies that have customers (or users) log into their accounts where things of great security are kept (social security numbers, credit card numbers, etc.), but send everything you would need to get to them over cleartext.

It’s not like it’s even that hard to do this! Just set up SSL and when people get to your login page, just redirect them to port 443! A somewhat recent study removed the HTTPS from links to see if users would notice that their personal information was not secure, and all of them failed to notice this and still logged in anyways! They also saw that users blindly ignore a large variety of security features that are available to them (some obvious, some not). Companies: people are not going to notice if you lack this security; you need to do it for them!

The other thing that gets me: when sites have SSL set up but don’t redirect to their secure page when users get there! I’m looking at you: Discover Card, Hotmail, Sprint! You all have this shit set up, just do a damn HTTP redirect! When someone goes to http://lamesite.com, just have it take them to https://lamesite.com! It’s one line of HTML!

Whew! That will be enough ranting for now. Now I just have to change all my bookmarks so they go to the HTTPS versions of these pages…

Advertisements

2 Responses to What is the deal with not using HTTPS?

  1. undigit says:

    I didn’t even know that Https was possible until you told me about it. I’m definitely going to start doing that.

  2. The problem is that you shouldn’t have to keep a paranoid eye (like you know I do šŸ™‚ ) on these businesses to make sure they’re using HTTPS; they should be doing it for you. You then see the little closed lock icon in your browser and you feel good and safe (ideally). But you know what happens when people get lazy…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: