Feeds

back to article FTC: Do SSL properly or we'll shove a microscope up you for decades

The US Federal Trade Commission (FTC) has forged settlement deals with a pair of companies accused of botching their SSL encryption and leaving people vulnerable to identity thieves. According to the watchdog, Fandango and Credit Karma failed to implement basic safeguards when sending highly sensitive personal information over …

COMMENTS

This topic is closed for new posts.
Bronze badge

Make Lemonade

Re-do the validation, then change your advertising to proclaim "Security audited by the FTC". Not many of their competitors could claim that! :-)

8
0
Silver badge

Re: Make Lemonade

You nailed it. I was actually thinking that these two companies could be a first choice because of that guarantee.

2
0
Bronze badge

Re: Make Lemonade

Security validated by the FTC, subject to NSA exclusions.

0
0
Anonymous Coward

Wouldn't it be even more secure if they didn't allow Wi-Fi connections to be used? It would make sniffing the traffic much harder as they would need to hack the mobile carrier in the process.

1
1

Many iOS devices only have wi-fi.

Its WiFi Only for ...

1) Everyone with an iPod Touch.

2) Everyone with an iPad that's WiFi only.

3) Everyone with an iPhone with talk/text only plan (yes they exist now).

4) Everyone on a pay as you go plan who hit their cellular data limit.

5) Everyone where there is wifi but no/poor cell phone reception.

Even if it make business sense (which it doesn't), I don't think Apple would approve an cellular data only app ... wouldn't meet their standards.

SSL validation works and 100% solves this problem, they just got careless and skipped it.

3
2

Re: Many iOS devices only have wi-fi.

The fact that it's possible to skip it, let alone to skip it by being careless rather than malicious, doesn't say much for the platform's standard libraries.

2
1

Re: Many iOS devices only have wi-fi.

@Vincent Ballard: you can authenticate the connection after it has been established (see channel bonding) so the library should allow for that

it shouldn't be the default, of course

1
0
Bronze badge

Re: Many iOS devices only have wi-fi.

Just to be complete, add "Everyone with a wifi-only Android tablet."

Just sayin', the article notes that it's not just IOS.

0
0
Bronze badge

Uh, yeah

I expect that it's not really allowed to use the FTC and their interest in your affairs when you advertise. But who knows. Any other companies got that history?

0
0
Silver badge

Re: Uh, yeah

Well, what Paul suggested is simply to say exactly what is happening. There need not be mention of endorsement of any kind. I wonder though, does the FTC publish a list of all the companies they've checked? In not, we can never be sure about the "unmonitored" ones.

0
0

no punishment as usual

They failed security and all FCC does is forcing them to implement the security measures they should have implemented 4 years ago.

3
0
Silver badge

We talk about sophisticated hacking

We talk about sophisticated hacking and cackle at the latest boneheaded vulnerabilities, but it's really the low hanging fruit, the forgetting to lock the door of your car, kind of idiocy that is still the biggest problem.

2
0
Silver badge
Black Helicopters

It's a funny old world

One government department exploits weaknesses, the other punishes them!

5
0
hj
Joke

Re: It's a funny old world

They do this for the NSA, their scripts fail if SSL is not implemented correctly.

0
1

Very suspicious...

Credit Karma had long been advertising with Little Old Grandma and Grandpa caricatures, with glasses and cane, as they complain about "free credit score sites" that want credit card info so they can charge you after the trial period. Which Credit Karma doesn't do, it's free always.

So how do they make money?

Thus it's marketed as something no-fuss that old people should have, or their kids should sign them up for, so they can stop worrying and get back to surfing for elder lesbo flicks.

I seem to remember one of the oldest internet tricks is to lure the old folk with promises of safety and security to get the info to rob them blind.

Are we sure this lack of security with sensitive personal info was accidental?

0
1
Bronze badge

Does this also cover goto fail implementations?

2
0
Anonymous Coward

It's not just these guys.....

We have recently completed penetration tests on a number of apps delivered by vendors such as SAP and others, who also failed to validate the certificates used to secure TLS connections, both from a revocation perspective, and if it was from the expected supplier.

Trust the maths.....

Don't trust the implementation....

1
0
Silver badge

Ironically, I just saw my first ad from Credit Karma yesterday.

While it was slightly intriguing compared to the usual suspects, it wasn't enough so to get me to visit their site.

After today, that won't ever be happening.

0
0
This topic is closed for new posts.