New website aims to publicly shame apps with lax security

HTTP Shaming's ethos is even on a fridge.

The amount of personal data traveling to and from the Internet has exploded, yet many applications and services continue to put user information at risk by not encrypting data sent over wireless networks. Software engineer Tony Webster has a classic solution—shame. 

Webster decided to see if a little public humiliation could convince companies to better secure their customers' information. On Saturday, the consultant created a website, HTTP Shaming, and began posting cases of insecure communications, calling out businesses that send their customers' personal information to the Internet without encrypting it first.

One high-profile example includes well-liked travel-information firm TripIt. TripIt allows users to bring together information on their tickets, flight times, and itinerary and then sync it with other devices and share the information with friends and co-workers. Information shared with calendar applications, however, is not encrypted, Webster says, leaving it open to eavesdropping on public networks. Among the details that could be plucked from the air by anyone on the same wireless network: a user's full name, phone number, e-mail address, the last four digits of a credit card number, and emergency contact information. An attacker could even change or cancel the victim's flight, he says.

Read 9 remaining paragraphs | Comments