Hubris, In Unabashed Splendor

Okay, say you are running a website that allows subscriber logins over an non-encrypted page. Some of your subscribers notice and complain that Firefox is putting up a (now pretty standard) warning that the login page was not protected by an encrypted connection, and is therefore insecure.

Do you:

1) realize the error and quickly move to remedy it

2) dash off a snarky complaint to Mozilla's bug-reporting service and tout your impeccable security record

Yeah, option 2 is what we have here:
"Your notice of insecure password and/or log-in automatically appearing on the log-in for my website, Oil and Gas International, is not wanted and was put there without our permission," a person with the user name dgeorge wrote here (the link was made private shortly after this post went live). "Please remove it immediately. We have our own security system, and it has never been breached in more than 15 years. Your notice is causing concern by our subscribers and is detrimental to our business."
It gets better/worse, as the site was (perhaps unsurprisingly) allegedly hacked shortly thereafter, and apparently passwords were stored in plain text, too...



No comments:

Post a Comment