Byzantine Reality

Searching for Byzantine failures in the world around us

What Is the Deal With Not Using HTTPS?

If you are running an enterprise application that authenticates a user for any reason, YOU NEED TO USE HTTPS! I’ve been irked lately by the large number of companies that have customers (or users) log into their accounts where things of great security are kept (social security numbers, credit card numbers, etc.), but send everything you would need to get to them over cleartext.

It’s not like it’s even that hard to do this! Just set up SSL and when people get to your login page, just redirect them to port 443! A somewhat recent study removed the HTTPS from links to see if users would notice that their personal information was not secure, and all of them failed to notice this and still logged in anyways! They also saw that users blindly ignore a large variety of security features that are available to them (some obvious, some not). Companies: people are not going to notice if you lack this security; you need to do it for them!

The other thing that gets me: when sites have SSL set up but don’t redirect to their secure page when users get there! I’m looking at you: Discover Card, Hotmail, Sprint! You all have this shit set up, just do a damn HTTP redirect! When someone goes to http://lamesite.com, just have it take them to httpS://lamesite.com! It’s one line of HTML!

Whew! That will be enough ranting for now. Now I just have to change all my bookmarks so they go to the HTTPS versions of these pages…