Six Months Later: Seven Major Websites that Send Passwords Unprotected

July, 2010

It's been six months since I first wrote that 7 out of the 36 most popular websites sent login passwords in the clear, without SSL encryption. This basic weakness means your password can be read by anyone who can see your Internet traffic, for example anyone using the same wireless access point as you.

I mentioned that I wanted to bring those seven sites around to having secure logins. This is our six month progress report.

I also want to expand our ambitions to tackling the next 1,000 most popular sites that are insecure. We're going to need a new strategy to do that. More on that later, after the results..

Drum roll please...

Three out of the seven top websites added secure logins. As far as I can tell, in each case the change was due to this blog's original post and the follow up efforts of myself and our readership.

That – ladies and gentlemen – is awesome!!!!!

Bit.ly stats aren't working for me right now but I know the blog post was retweeted 200~300 times in many languages. This all happened when everyone was talking about China's internet attacks, so frankly I don't expect to get as much attention on this follow up post, but I do think we can nevertheless maintain the same pace of progress in the next six months.

More on the next six months below. For now I want to highlight the status of each of the seven websites, and offer thanks where thanks is due!!

The following websites now have secure login forms:

Photobucket (thanks to Sachin Rekhi, Luke Swanson, and Normal Liang!)

(thanks to Sachin Rekhi, Luke Swanson, and Normal Liang!) GameSpot (thanks to AirGuitarist87 and Jody Robinson!)

(thanks to AirGuitarist87 and Jody Robinson!) Taobao.com (I'm not sure who to thank here)

The following sites still have insecure login forms:

Slide

hi5

Tudou

Wikipedia is also technically in the "still unsecure" list, but I decided to put less emphasis on them since (a) they provide a prominent link to a secure login form next to the login box, and (b) most of their users don't use logins.

I was able to contact someone at Slide, hi5, and Tudou but I wasn't able to get direct results from those conversations. (See update below.)

Broader goals, and a new approach

There are many other websites in the top 1,000 that send passwords in the clear. Some of these include digg, reddit, tumblr, and plentyoffish, but there are many others.

My original ambitions were only for the top 36 ranked sites, but it's worth going after the more ambitious goal of securing the top thousand if we can do it, and I think we can.

My emailing these company directly is not a scalable approach here.

My favorite new approach is to propose a patch to Firefox that will gently tell the user after their password is sent in the clear, and suggest they contact the website to ask that they secure their login form.

I created a post on the Firefox dev mailing list and a good discussion ensued around the usability and technical issues. Overall support was moderate to strong.

...changing the world is possible!...

Do you know someone who might be able to help make this happen, or do you have any ideas for how to get this done?

Please let me know if you do. You can contact me on Twitter or via email.

Thanks!

(Update: an engineer from hi5 has told me that they are working on it for their site!)