Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Websites uses passwords NO SSL Encryption

  • 16-06-2014 9:45pm
    #1
    Registered Users, Registered Users 2 Posts: 26


    Hello all, I am not a very tech/secuirty savy person but I am using a website for a local service in my area which uses passwords the site does not use ssl and is not encryped this concerns me. Should I talk to them about my concerns? A host of other information would be stored in the accounts section name, address, DOB, phone number etc


Comments

  • Registered Users, Registered Users 2 Posts: 10,906 ✭✭✭✭28064212


    I'd delete your account, remove everything you can from it, and send a complaint in, mentioning that you won't use their site until they get proper security. Capturing non-SSL traffic (including your password) is trivial

    Boardsie Enhancement Suite - a browser extension to make using Boards on desktop a better experience (includes full-width display, keyboard shortcuts, dark mode, and more). Now available through your browser's extension store.

    Firefox: https://addons.mozilla.org/addon/boardsie-enhancement-suite/

    Chrome/Edge/Opera: https://chromewebstore.google.com/detail/boardsie-enhancement-suit/bbgnmnfagihoohjkofdnofcfmkpdmmce



  • Registered Users, Registered Users 2 Posts: 51,054 ✭✭✭✭Professey Chin


    Its disturbing how many sites still dont use it. Saw a site a while ago looking for credit card details on a standard http page :/


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    The information may be submitted over HTTPS from a HTTP page (e.g. like the boards.ie home page with the login banner up the top right).

    What's the site?


  • Registered Users, Registered Users 2 Posts: 26 GrewUS


    Khannie wrote: »
    The information may be submitted over HTTPS from a HTTP page (e.g. like the boards.ie home page with the login banner up the top right).

    What's the site?

    It's my local golf course so don't want to share the link. Have ran a test on a site that detects SSL cents and the site has no encryption. Main concern is I use the same password for many many other websites. Also the information on the account could be used for other mallious purposes


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    GrewUS wrote: »
    It's my local golf course

    Ah right. That explains everything, so.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 26 GrewUS


    Khannie wrote: »
    Ah right. That explains everything, so.

    Still not good enough for a club with a thousand members....


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    I agree, but trying to change anything based on security concerns at a golf club level is going to be pissing against the wind, tbh.


  • Registered Users, Registered Users 2 Posts: 9,605 ✭✭✭gctest50


    They should tidy that up, every little bit helps these days.

    I had a look at it - lucky its far from my thing disrupting things and grabbing info


  • Registered Users, Registered Users 2 Posts: 6,393 ✭✭✭AnCatDubh


    GrewUS wrote: »
    Main concern is I use the same password for many many other websites.

    Always worthy to salt your life-passwords with something variable - even something from the site itself - saves on automated crap happening if their site is compromised.


  • Registered Users, Registered Users 2 Posts: 66 ✭✭CathalC2011


    GrewUS wrote: »
    Still not good enough for a club with a thousand members....

    Realistically, nobody's gonna be sitting in the lobby sniffing passwords all day. Then again, SSL is dirt cheap to have verified.


  • Advertisement
  • Closed Accounts Posts: 824 ✭✭✭Kinet1c


    Realistically, nobody's gonna be sitting in the lobby sniffing passwords all day. Then again, SSL is dirt cheap to have verified.

    Perhaps I'm reading your response wrong... or even the OP but from my understanding this is a public facing website and not an intranet based site. If so, you don't need to be in there lobby.


  • Registered Users, Registered Users 2 Posts: 66 ✭✭CathalC2011


    Kinet1c wrote: »
    Perhaps I'm reading your response wrong... or even the OP but from my understanding this is a public facing website and not an intranet based site. If so, you don't need to be in there lobby.

    You read it right - I just misunderstood. Yah OP get on to them.

    Off topic, does internet traffic apply under the DPA's "collection and processing of personal data"? I've been wondering that for a while.


  • Registered Users, Registered Users 2 Posts: 203 ✭✭industrialhorse


    You read it right - I just misunderstood. Yah OP get on to them.

    Off topic, does internet traffic apply under the DPA's "collection and processing of personal data"? I've been wondering that for a while.

    http://www.dataprotection.ie/docs/Guidance_Note_on_Data_Protection_in_the_Electronic_Communica/1152.htm#5a


    5. Traffic Data

    5a. Retention


    The Regulations provide that "traffic data" – details of the calls, emails, text messages, fax messages, internet access via an IP address made by subscribers (excluding content) – may only be retained by the service provider for as long as necessary to enable bills and telecommunications providers interconnect payments to be settled and to meet specific legal requirements.

    In applying this rule in practice, electronic communications service providers should be mindful of the strong privacy impact of logging such details. They should only store such privacy-sensitive data for a limited period to enable routine billing queries to be addressed, to satisfy the obligations in interconnect agreements and to meet legal requirements (notably the retention obligations set out in the Communications (Retention of Data) Act 2011.

    Details of traffic data relating to subscribers should not routinely be kept for longer periods. However, it is permissible to retain such data for longer periods if –

    - the particular subscriber has queried his or her bill, and the data need to be retained to enable the query or dispute to be resolved
    - there is some other legitimate reason to believe that a query or dispute is likely to arise in a particular case

    5b. Itemised Bills

    Subscribers also have the right not to receive detailed itemised bills, if they wish, as an extra step to safeguard their privacy.

    5c. Use of Traffic Data

    Prior consent is required if a service provider wishes to use traffic data for the purpose of marketing its own electronic communication services or for the provision of value added services. The subscriber must be informed in advance of the types of traffic data to be used, how long it will be used for and be given the possibility to withdraw at any time the consent they may have given for the use of their traffic data. A user must be informed of the means by which they can withdraw their consent.


Advertisement