back to article HTTPS crypto-shame: TV Licensing website pulled offline

The UK's TV Licensing agency has taken its website offline "as a precaution" after being blasted for running transactional pages that were not sent over HTTPS. The publicly funded outfit had been criticised for inviting folk to submit sensitive data over unencrypted links. Just a few hours after proclaiming "we will soon …

  1. JimmyPage Silver badge
    Facepalm

    redirecting HTTP to HTTPS

    Isn't this the sort of thing a first year Comp Sci graduate used to be able to do ?

    1. Alister Silver badge

      Re: redirecting HTTP to HTTPS

      In my experience, the current crop of Comp Sci graduates wouldn't have a fucking clue how to do this, nor why they should...

    2. Teiwaz Silver badge

      Re: redirecting HTTP to HTTPS

      Comp Sci awards the degree in the first year now?

      I have heard mutterings about Degrees getting easier (and reduced the length of course while probably increasing the fees), but this seems like drastic short-cutting to me.

      1. FlamingDeath Bronze badge

        Re: redirecting HTTP to HTTPS

        Well, from my observation many of the university types do certainly think that once they completed their degree, that the learning is done and finished, and they can then start looking down their noses at us other self-educated types who didn't pay £9k PA for a "rarely present tutor" and are interested enough in the subject to be motivated to self-learn

        I guess the overpriced degrees in university, breeds a kind of hubristic elitism

        A bit like when people buy an overpriced product, and they wrongly equate high price with high quality

        “The good work for all education is interest. Until there is interest there is no response"

        1. ZenCoder
          Pint

          Re: redirecting HTTP to HTTPS

          Well, from my observation many of the university types do certainly think that once they completed their degree, that the learning is done and finished, and they can then start looking down their noses at us other self-educated types

          My Computer Science and Engineering Degree taught zero practical skills ... instead I learned the scientific and theoretical knowledge that would prepare me for a lifetime of self-learning.

          Also here is at least one "University Type" that respects anyone who has the skills necessary for the job no matter how they acquired them.

          Regrettably I also worked with far too few people with skills and no degree and far too many with degrees with no skills, not to mention the 3rd year transfer students with 3.5+ GPA who literally could not complete a single lab assignment without cheating.

          So instead of a downvote ... you get a beer.

          1. Anonymous Coward
            Anonymous Coward

            Re: My Computer Science and Engineering Degree taught zero practical skills

            Mine wasn't as "impractical" as that (although the programming that we did do, did perhaps focus a little too much on near-metal-banging (pointers, malloc, etc) in C, which are things I have never needed to worry about since, as they are dealt with lower down the software stack (although I certainly do acknowledge that we do need at least some people with those skills in order to write, and optimise, those lower parts of the stack).

            But, unfortuntately, much of the "theoretical stuff" mainly seemed to be indulgence of the academics' pet areas of research, and rarely anything which gets any real-world use (eg, lambda calculus) or was more than a passing fad (at least a couple of unpleasant courses whose content I have now entirely forgotten).

            To be perfectly honest, I think I have learned far more from the web (yes, including various Wikimedia sites, with pinches of salt duly applied), forums, well-written official documentation (yes, it does sometimes exist!), and the O'Reilly menagerie, than I ever did from my first university degree.

            The university undergrad experience should really be more about a love of learning in general, learning how to transition into an adult, making new friends and networks, undertaking new experiences, and broadening your worldview.

            Unfortunately, coming from a deathly-uninspiring smalltown background, after many years of teachers' strikes (where the teachers' "work to rule" neglected the unwritten part of their mission to help their students grow and blossom as well, unfairly hurting those who had no part in their battle), and then to a university that turned out to be rather more homogenous in its student cohort than the prospectus had implied (so that most of us had all had the same stunted childhoods (but of course were unable to realise that at the time)), meant that it wasn't quite the full experience that it should have been.

            1. Claptrap314 Bronze badge

              Re: My Computer Science and Engineering Degree taught zero practical skills

              You speak like you expected/intended your education to be something that someone else gave you (at school), or perhaps a one-and-done sort of thing? How sad.

              I learned more science by reading the 500 & 600 section and subscribing to Scientific American & National Geographic (back when they were useful) than there was ever hope for me to have learned in the thin slice of time listening to someone try to explain things they themselves barely understood in K-12.

              As the previous poster mentioned, the critical skills that are needed are not "practical" (and don't go on a resume').

              1) The ability to learn new skills. The world is changing, you must keep up. I have literally had my job description completely rewritten between when I accepted the offer and when I showed up the first day.

              2) The ability to recognize your own blind spots. The "unknown unknowns" are what kill us. Overcome Dunning-Kruger or be stuck being the one others clean up after.

              3) Diligence. No matter how many layers we put between you and the bare metal, there will be tasks that are fundamentally repetitive and non-scriptable. (Think about writing good tests.) Disciplining yourself to doing it right every time.

              Yeah, I was a hardass to my calculus students.

    3. katrinab Silver badge

      Re: redirecting HTTP to HTTPS

      If you are using IIS, it is a box you tick in the control panel. On Apache, it is a very simple addition to the configuration file.

    4. NonSSL-Login

      Re: redirecting HTTP to HTTPS

      Searched for the Beefeater site yesterday and google gave a http link which didn't redirect to https once on it which I thought was odd for this day and age.

      To view a menu it wanted my postscode and while it's not the end of the earth for that to be sniffed, it felt too dirty to post it over http so I had to manually change it to https.

      My name was a good few years of nagging at el register to https up and it took google to start giving horrible chrome messages and lower search engine ranks to http site before it was changed. Anyone company not using https now should be considered lazy and not fully competent imo.

  2. Anonymous Coward
    Anonymous Coward

    only 9 months?

    Someone check the Wayback machine. I'd bet its never been secure (i.e. http always preferred over https).

    1. Anonymous Coward
      Anonymous Coward

      Re: only 9 months?

      "Someone check the Wayback machine" - we've got a fully delegating manager type here folks. Don't see many of your sort round these parts.

    2. Anonymous Coward
      Anonymous Coward

      Re: Someone check the Wayback machine.

      There's an app for that.

      If that task is not in the existing contract, it'll cost you extra (and if it was in the contract, it's already cost the taxpayer far too much).

  3. DJV Silver badge

    "We take security very seriously"

    That's right, keep parrotting that obvious bullshit out! Sigh....

  4. Snivelling Wretch

    TV Licensing is run by Capita; 'nuff said.

    1. wallaby

      "TV Licensing is run by Capita; 'nuff said."

      And we are forced by our government to use them or face a fine !!!!

      The joys of privatisation

    2. Chris Hills

      Kind of, Capita gets the majority of the work but there are other contractors. I presume the BBC is responsible for the infrastructure?

      1. Angry IT Monkey

        Capita provide the secure payments side, I believe IBM host the rest.

        Yes, I feel dirty defending Capita!

        1. Teiwaz Silver badge

          Capita provide the secure payments side, I believe IBM host the rest.

          Yes, I feel dirty defending Capita!

          Well, there's the reason then. Nobody left who has a clue at IBM?

          1. Anonymous Coward
            Anonymous Coward

            There are plenty of people left at IBM who have a clue. They just no longer care.

          2. Anonymous Coward
            Anonymous Coward

            "Nobody left who has a clue at IBM?"

            It's a chargeable item that, definitely not included in the contract that the customer signed....

      2. Doctor Syntax Silver badge

        "I presume the BBC is responsible for the infrastructure?"

        Why would they be?

        1. Alan Brown Silver badge

          >> "I presume the BBC is responsible for the infrastructure?"

          > Why would they be?

          Because TV Licensing _limited_ - the privately owned company which is responsible for actually collecting TV licence fees - is a wholly owned subsidiary of the BBC which then contracts operations out to Crapita and IBM.

          It's a nice incestuous little circle jerk when you start digging into it.

          1. An ominous cow heard

            Re: when you start digging into it.

            "Because TV Licensing _limited_ - the privately owned company which is responsible for actually collecting TV licence fees - is a wholly owned subsidiary of the BBC which then contracts operations out to Crapita and IBM.

            That's not quite how it works, according to published information. Maybe your description is equivalent, maybe no one has challenged it for the last few years, but here's an extract from an official description:

            https://www.tvlicensing.co.uk/about/who-we-are-AB4

            " 'TV Licensing' is a trade mark of the BBC and is used under licence by companies contracted by the BBC to administer the collection of the television licence fee and enforcement of the television licensing system.

            The BBC is a public authority in respect of its television licensing functions and retains overall responsibility.

            Responsibilities of TV Licensing contracted companies

            Capita Business Services Ltd Administration and enforcement of the TV Licence fee.

            PayPoint Plc Over-the-counter payment services in the UK mainland and in Northern Ireland.

            [continues]"

            If there was an actual "TV Licensing Limited" I would expect to see evidence somewhere (ultimately, official records at Companies House. Have you got any?

            The big-picture concept of contracting this stuff (collection AND enforcement) out to organisations like Crapita and friends still stinks. As it often does elsewhere. But sometimes details matter, as well as the big picture.

    3. FlamingDeath Bronze badge
      Facepalm

      Fucking Crapita

      Who knew

      1. Anonymous Coward
        Anonymous Coward

        Why wasn't it mentioned in the article that Capita run this? Come on El Reg. It's kind of relevant. I know it's Friday but you haven't even been to the pub yet (I assume).

  5. chroot

    HTTPS by default?

    Now that Chrome makes it alarming to visit any HTTP site, why doesn't it just try HTTPS first? HTTP can be an optional fallback with an informative/alarming notice.

    1. Anonymous Coward
      Anonymous Coward

      Re: HTTPS by default?

      Because some people may want to visit the http version of a site - for testing purposes for instance or the https version of the site may be an entirely different site altogether or a security or certificate problem may mean the https version is down while the http version is up etc etc.

      Having a third party decide that it is going to disregard your wishes and the site owner's wishes is not a great solution - they'll be removing parts of the url completely next.

      Maybe a popup to say there is a secure version of the site and would you like to visit it?

      Maybe use HTTPS Everywhere extension which will use https?

  6. Dave 15 Silver badge

    scrap tv licence

    Simplest answer

    The BBC is just the governments propaganda machine anyway. Fund from general taxation and cut all the costs out straight off. They have a list of all the houses in the UK without a licence and bombard you with letters and visits demanding that YOU prove to them you dont need a licence with very threatening letters. Frankly better off without any of it.

    BBC can be funded by either:

    a) general taxation

    b) pay per view/subscription like sky

    c) advertising

    d) selling their 'wonderful' programs (mmm... teletubbies, total crud, perhaps by having to sell the programs they might just decide to make programs worth the effort????)

    The tv licence model is broken, out of date and ridiculous, like most other government taxation.

    Long over due to move to a single tax and single benefit system so we can really understand just how much we are being screwed by the government of the day.

    1. Anonymous Coward
      Anonymous Coward

      Re: scrap tv licence

      > "The tv licence model is broken..."

      No it isn't. Governments usually love to force propaganda on their citizens, and making them pay for it too just makes the operation that much sweeter.

    2. FlamingDeath Bronze badge

      Re: scrap tv licence

      No idea why you have so many downvotes.

      The BBC are happy enough to pay Gary Lineker, Chris Evans and Graham Norton, a ridiculous sum of cash for what is questionable talent.

      If anybody has seen Idiocracy, it should be fairly obvious why TV is the way it is

      Love Island?

      Big Brother?

      Celebrity get me out of here?

      If these programs are not the result of an ever increasingly stupid population, I dont know what it

      1. Anonymous Coward
        Anonymous Coward

        Re: scrap tv licence

        Not giving the BBC a carte blanche defence, but if you're going to criticise them, it doesn't help to back up the attack with...

        > Love Island?

        ITV

        > Big Brother?

        Formerly Channel 4, now Channel 5

        > Celebrity get me out of here?

        ITV

        (Just to clarify for readers outside the UK- none of those are BBC stations).

    3. Alan Brown Silver badge

      Re: scrap tv licence

      "scrap tv licence

      Simplest answer"

      Yes, but not for the reasons you're pushing.

      Radio licensing was scrapped in the late 1960s for the simple reason that with the advent of transistorisation there were too many radio sets to keep track of and the licensing income wasn't worth the hassle. TV licensing was kept because TV sets were large, cumbersome and easy to track.

      Times and technology have changed and now TV sets are as ubiquitous as radio sets were at the time their licenses were scrapped.

      The assumption since the 1970s has been that "every house has a TV set and every one without a license is a dodger" - with "TV detector vans" mainly being minibusses and the "detectors" being people looking for aerials or the telltale signs of a TV in use (flickering lights and the warbling sounds of coronation street coming from premises which supposedly had no TV)

      You'll notice that receiver licensing is no longer a radio regulatory job: that should give a big hint as to its actual necessity.

  7. Aladdin Sane Silver badge
    Mushroom

    We take security very seriously

    Lies.

    1. 0laf Silver badge
      Thumb Up

      Re: We take security very seriously

      "We take our security very seriously, we don't give a fuck about yours.... unless the ICO is knocking on the door"

      FTFY

    2. Anonymous Coward
      Anonymous Coward

      Re: We take security very seriously

      *We take security very seriously

      The cheques in the post

      The dog ate my homework.

      Of course I love you.

      I promise I wont cum in your mouth.

      *Added to the list of the greatest lies ever told.

      1. Alister Silver badge

        Re: We take security very seriously

        You forgot:

        It's not you, it's me.

      2. Fred Dibnah

        Re: We take security very seriously

        And:

        I'm just out for a swift half.

        1. Kane Silver badge

          Re: We take security very seriously

          And:

          It's only the tip.

      3. Nano nano

        Re: We take security very seriously

        £350m a week for the NHS ...

        1. Wincerind

          Re: We take security very seriously

          @Nano nano "£350m a week for the NHS ..."

          Oh do give it a rest.

    3. Anonymous Coward
      Anonymous Coward

      Re: We "will briefly" take security very seriously

      Corrected for you...

      1. Nano nano

        Re: We "will briefly" take security very seriously

        Momentarily ...

  8. Loyal Commenter Silver badge

    we're not aware of anyone's data being compromised.

    Well, if you're not using HTTPS, you wouldn't be aware of it, almost by design. Not being aware of the man-in-the-middle doesn't mean he isn't there. All it takes is a poisoned DNS server, redirecting requests to a proxy, and someone can be listening in on all the unsecured connections for any domain that DNS server is serving up the address for.

    1. NonSSL-Login

      Or just someone on the same wifi network running wireshark or other tools. Requires catching the initial handshake but easy enough to disconnect a client and force it to reconnect to catch it.

    2. Alan Brown Silver badge

      "Well, if you're not using HTTPS, you wouldn't be aware of it, almost by design."

      It would be "very good" if the ICO (or the EU privacy oversight watchdogs) declare that it's a prima facie data breach to use http for ANY kind of entry of personal data, regardless of provable data breach - and if there is a subsequent data breach then failure to use https adds a multiplier to the fines.

  9. Anonymous Coward
    Anonymous Coward

    Airline / Travel HTTP Crimes

    Anyone noticed HTTP / HTTPS breaking while trying to Check-In online or when Printing a Boarding Pass? You're taken to the Parent-Airline site first to authenticate (HTTPS). But then they send you to the Subsidiary-Airline site (the airline you're actually flying with), to enter Passport and other personal details before issuing the final boarding pass.

    That can even just be a random 3rd-Party site (again over HTTP only).... WTF airlines? Get your sht together! The only solution is hold off / don't use it, wait in line at the airport. Might be better anyway, as the amount of server-side user tracking its already toxic:

    -

    Emirates / Lufthansa dinged for slipshod online data privacy practices

    https://www.theregister.co.uk/2018/03/05/emirates_dinged_for_slipshod_privacy_practices/

    1. Alan Brown Silver badge

      Re: Airline / Travel HTTP Crimes

      "That can even just be a random 3rd-Party site (again over HTTP only)"

      Any of this is grounds for a complaint to the ICO and making sure that El Reg (amongst others) has enough detail to make it impossible for the airlines to brush off or the government numpties to sweep under the carpet.

  10. tallenglish

    Yet another Crapita cockup

    This is what happens when you don't pay your empoyees half enough or care about them, haven't a clue about what your selling or care about the security of your clients.

    Bet the details are stored in some plaintext file on the server too.

  11. intrigid

    TV licensing agency

    Paying the government for the privilege of owning a magic picture device? The whole HTTP privacy debacle should be an afterthought. You brits should hang your heads in shame for allowing such a ridiculous bureaucracy to exist in the first place.

    1. Anonymous Coward
      Anonymous Coward

      Re: TV licensing agency

      Don't criticise someone else's crappy government until you've cleaned up & decrapified your own. Those whom live in glass houses shouldn't throw stones.

      1. Anonymous Coward
        Anonymous Coward

        Re: who/whom

        "Who" is subject (the person doing something), "whom" is object (the person or thing to whom something is being done by the subject).

        Who am I? A grammar pedant.

        I am trying to help improve the grammar of the person to whom the glass house belongs.

        (I was going to write: "I am trying to help improve the grammar of the person whom lives in the glass house", but I have a feeling that's not right. Is that person the subject of that part of the sentence again, or is it that we use "whom" so infrequently nowadays that it almost always sounds unusual? Or is it that English has such lazy grammar, barely conjugated verbs, vestigial cases, and that most of us who learn it as native speakers sadly aren't really taught very much formal grammar at school so that it is very hard for us to work out what's right and what ain't?)

    2. Anonymous Coward
      Anonymous Coward

      Re: TV licensing agency

      "privilege" ... seem to remember that features in about the first paragraph of the California Driving code where it explains being given a licence to drive a care is a privilege that that state grants you and not a right. At least in the UK they don't take rescind your privilege for owning magic picture devices for breaking completely unrelated rules.

    3. Anonymous Coward
      Anonymous Coward

      Re: TV licensing agency

      You don't need to pay the government anything for owning a TV. You only need to pay if you use it for certain things.

      1. FlamingDeath Bronze badge

        Re: TV licensing agency

        Do you mind telling the TV licensing gang of that little detail?

        They seem to equate "no tv license" with "they need a tv license" irrespective of how someone uses their TV

        Anybody who disbelieves this, I highly recommend you to cancel your TV license, remove all BBC channels from your tuned TV, and then watch the highly threatening letters roll in from the BBC tv licensing gang.

        By all means vote down, it wont change this little fact

        1. Loyal Commenter Silver badge

          Re: TV licensing agency

          Anybody who disbelieves this, I highly recommend you to cancel your TV license, remove all BBC channels from your tuned TV, and then watch the highly threatening letters roll in from the BBC tv licensing gang.

          And they are just that - threatening letters. To prosecute you, they need to prove that you own a TV, use it to receive broadcasts, and are not paying the licence fee. Unless you are silly enough to be watching BBC news in front of the window when their 'enforcement officers' call by, then they don't have that proof. They can't enter your property without a police warrant, so if they come calling (which is vanishingly unlikely), you can quite legally tell them to fuck off and close the door.

          So, those threatening letters? Just cross out the address, write 'return to sender' on the top and pop it back in the nearest post box. At least that way, it's not cluttering up your household recycling.

          1. Anonymous Coward
            Anonymous Coward

            Re: TV licensing agency

            "silly enough to be watching BBC news in front of the window when their 'enforcement officers' call by... can't enter your property without a police warrant, so if they come calling (which is vanishingly unlikely), you can quite legally tell them to fuck off and close the door."

            You can also revoke the assumed right of access to your property. This is the right that people - postmen [I use that term to cover post persons of all genders and sexual identities], Jehova's witnesses, etc etc - have to come up your garden path and knock on your door. But you can revoke it - in writing to Capita - and if they then encroach on your property they are breaking the law.

        2. caffeine addict Silver badge

          Re: TV licensing agency

          You don't need a license for a TV.

          You need a license to receive TV signals at the time of broadcast. That covers TVs (all channels, possibly including satellite, not just BBC content), computers, and recording devices.

          It caused an interesting edge case where it was illegal to watch iPlayer live, but not five minutes after the broadcast ended. They've now closed this loophole and you need a license for all iPlayer content, regardless of when (or if) it was broadcast. That's why you need a login for iPlayer nowadays. (That statement has been downvoted in the past, but contacts in Capita & BBC have assured me it was the driving force behind BBCID).

          You don't need a license to have a TV for gaming, computer use, watching purchased prerecord (films, tv, etc), or streaming services like Netflix. Pretty certain you can watch the iPlayer equivalents from ITV/C4/C5 freely, but I haven't checked. I believe that watching broadcast TV that someone else recorded for you is against the rules, but god knows how they'd know.

          I believe there used to be a few places where you didn't need a license if you only watched ITV/C4 but that was because BBC signals weren't available in those areas (presumably coastal areas with high cliffs or something. Those dark spots no longer exist.

          1. Nano nano

            Re: TV licensing agency

            In the UK, we need a "licence" ....

        3. Dave 15 Silver badge

          Re: TV licensing agency

          Actually you need the licence to watch ANY broadcast.. including nonBBC, amazing but true... even includes your satellite viewing.

          It will be worse, in Germany you need a TV licence for a radio or the internet. In fact they even managed to take a guy to court despite he lived in the woods with no electric.

          But you are right the TV licence people dont use a detector van any more, they just send a letter a week to any address with no licence and a thug a month.

          'can I come in and check...' NO... another visit, the court, the police, and ... oh but you haven't a tv followed by a carry on of the pre discovery carry on.. they dont even give up if you die

  12. Anonymous Coward
    Anonymous Coward

    They are not the only one I know of a company that runs many booking systems and they all run on http. I queried this a few years ago but they wouldn't do anything about it and I note its still http.

    I've emailed them again pointing out the risks and await a response.

    1. Gerhard Mack

      They don't care

      They obviously don't care so the only things that will change their mind will be:

      1. a fine.

      2. a lawsuit

      3. public humiliation.

      If you want to solve the problem, find out which of those levers you can pull.

    2. Alan Brown Silver badge

      "I've emailed them again pointing out the risks and await a response."

      No need for that. Just let the ICO know - and when they don't bother responding, make the media aware.

  13. sitta_europea

    Does this mean the DVLA will fix their SPF record now? (I know, I know, I've been bangin' on about it for years, but even writing to my MP - Dennis Skinner - hasn't helped.)

    1. Doctor Syntax Silver badge

      "my MP - Dennis Skinner"

      He's still there? What age did he say he was going to retire and what age is he now?

  14. Claptrap314 Bronze badge

    https everywhere?

    Why on earth would you use http for the admin interface on anything? For crying out loud, I'm no sysadmin for anything, but that's just ridiculous.

    Oh, wait. Which article am I responding to? Umm... Well, yeah. Same, song, next verse. Otta get better, but it's gonna get worse.

    We need a mass facepalm icon.

  15. Potemkine! Silver badge

    "We take security very seriously "

    It's PR BS day, isn't it?

    Mr Moore summed it up well: "There really are no words for such ineptitude"

  16. StuntMisanthrope Bronze badge

    Provision of false information, etc.

    Section 144 (b) Recklessly makes a [F1] which is false in a material particular. #basics

  17. Anonymous Coward
    Anonymous Coward

    GDPR fine ?

    Will they get a fine or is it not qualified as a data breach.

    We should fine the pension fund.

    Can the "fine" be offset against profits like the Banks?

  18. pleb

    Uk.gov

    And the uk.gov gateway (access to details about your pension, tax, national insurance, driving licence, car tax, everything - your whole government ID) has a password requirement of 8-12 alphanumerics, no special characters allowed.

  19. T 7

    The same happened with my flat managing company (Warwick Estates since you weren't asking). They were using zendesk chat and had hardcoded "http://" meaning all chat was unencrypted. They had no idea what I was talking about and it was only when I went to zendesk and got them to confirm it, they actually changed it.

    Similarly, NHS jobs, until 2 weeks ago, was doing passwords and logins in the clear.

    Last year I found the same with credit card details for bookatable. Again, hardcoded 'http://' on a 'back' button.

    I am not even an IT professional. This kind of stuff is everywhere.

    Naturalky no one has ever thanked me. But I'm not in this for the praise.

    1. DaLo
      Pint

      Thanks - There you go!

    2. Loyal Commenter Silver badge

      hardcoded http needn't be a problem (although it is untidy, IMHO, all links internal to a web site should be relative), as long as the server is configured to redirect all http requests to https. The fact that they serve anything up at all on http is the real problem.

      1. Dave559 Bronze badge

        hardcoded http

        But would hardcoded http, even if immediately redirected, not send all of your cookies for the site (unless set as "secure" only) with your request, allowing any MITM a bite of your delicious delicacies, before you then get the (redirected) https page back?

  20. David 18
    Facepalm

    "Not aware"

    "We've identified that this issue has happened very recently, and we're not aware of anyone's data being compromised."

    If the men in the middle did their work properly how would they be aware!

  21. Anonymous Coward
    Anonymous Coward

    "We take security very seriously..."

    except when we don't.

  22. Jamie Jones Silver badge
    Facepalm

    And yet....

    No-one seems to mind the "email a link to reset your password", which is rarely encrypted end-to-end, and not even obvious that it isn't (or is)

    1. Dave559 Bronze badge

      Re: Password reset emails

      That's a good point, and one of the reasons why conventional email really does need to be replaced by a new, open, interoperable, and of course, secure/encrypted, messaging protocol (as GPG, etc, are just too complicated for almost everyone to use).

      At least reset codes usually have a validity window, which restricts the time a black hat hacker has available to try to sniff your email. I have received some recently which have had as little as a 10 minute validity window (obviously, if someone has already intercepted your email account, that's still alarming, but, basically it still comes down to the point that we need to rethink email).

      1. Anonymous Coward
        Anonymous Coward

        Re: Password reset emails

        @Dave559

        "...obviously, if someone has already intercepted your email account, that's still alarming..."

        Or stolen your unsecured phone / laptop. In all cases, it's game over.

        In other words, that's not security.

        1. EnviableOne Bronze badge

          Re: Password reset emails

          Ahh but as far as the unwashed masses are concerned, it is the appearance of security, which gives them confidence to use the interwebs.

          if all were so enlitened, the first $1trillion dollar company would be GE in like 20 years, as everyone would have left the security free cesspool that is the internet alone.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019