FlyerTalk Forums - View Single Post - Safeguarding your personal data transmitted over hotel internet
Thread: Safeguarding your personal data transmitted over hotel internet
View Single Post
Old Apr 9, 2013 | 1:06 pm
  #19  
gqZJzU4vusf0Z2,$d7
All eyes on you!
10 Years on Site
 
Join Date: Feb 2013
Location: Somewhere In The Five Eyes
Posts: 238
> HTTPS is a secure end-to-end protocol for web browsing.

NOT necessarily.

There are MANY ways to implement SSL incorrectly. To determine if the website has
correctly implemented SSL; use:

https://www.ssllabs.com

>> padlock icon

RELYING on the little padlock icon in your browser is nuts. More than a few firms
sell appliances that make executing a Man-in-the-Middle (MITM) attack, plug & play.
To determine if your current SSL connection is being hijacked by a MITM attack:

https://www.grc.com/fingerprint

So; how many of these SSL secured websites have substantive problems?
~90% have substantive problems.

https://www.trustworthyinternet.org/ssl-pulse/

A snapshot of several prominent websites that ought'a be ashamed:

https://www.transunion.com
https://www.schwab.com
https://www.tdbank.com
https://www.ibm.com <--- gfunkdave rpts IBM fixed their two config problems
https://www.yahoo.com

*I* expect better.

> I'm pleasantly surprised that FlyerTalk submits a hash instead of a password.
> This is not a high security application

Yabbut - ~half the population uses the same password for all their logins. Their
password is only as strong as the weakest site's implementation.

FlyerTalk needs to implement security that is of this century. Using MD5 for
password hashing is negligent. Not using salt is negligent.

Use pbkdf2 or scrypt. Use both per-user & site salts.
Last edited by gqZJzU4vusf0Z2,$d7; Apr 9, 2013 at 2:37 pm Reason: merged consecutive posts
gqZJzU4vusf0Z2,$d7 is offline  
Reply