As a customer of a large web hosting company I expect a certain level of security. With this assumption I used their web mail service for months without actually validating the level of security they offer for this service. One cloudy day I just happened to be looking through my browser history and what do I see? My username and password in the URL string.
Absolutely astounded that in 2010 the password is sent as part of the URL clearly visible to anyone with access to the browser history I tweeted something like “#company = #securityfail password in the URL, please!”. With this now out there on twitter not knowing who might respond within minutes the web hosting company responded and asked that I email them my issue and they would follow it up.
With nothing to loose I wrote up a quick statement how SSL should be the standard and the password should never be in the URL I fired it off to the social media representative. With that done I went back to the daily grind forgetting that I ever sent the email.
Several days later I got a response from the social media rep stating that they had changed the code of the web mail system so that the URL does not contain the password. So here I am writing this blog post thinking that maybe social media isn’t a complete waste of time and that some companies do care.
As the for the security of the web mail system, they still don’t use SSL on the login page and the password is passed in the clear in the HTTP header. Web hosting provider…..must try harder next time.