My blog has moved!

You should be automatically redirected in 6 seconds. If not, visit
and update your bookmarks.

Sunday, September 1, 2013


I am going to purposefully leave the details of this post fuzzy because I don't want the company I am writing about, which I've never done business with before and hence don't know how they receive technical "concerns," to come after me with some bogus DMCA charge. Instead, I am just posting it to both of my blogs as a parable.

I am an unpaid, volunteer webmaster for a certain local non-profit. Our web site has been hosted for free for years by a national non-profit who also provided low-cost domain name registration. Recently, the national organization decided that the web hosting and registration business was not part of their core mission (and their reasons make sense - it's a PITA to deal with, but I understand why they're doing it). They recommended some providers to take over the web hosting part and as a convenience have contracted with a domain registrar to take over the domain name side of things. It is with this latter company that I have the following complaint.

Today I was checking my junk folder and right before I emptied it I noticed a "From" address that rang a bell. It turned out to be a "welcome" email from the new domain registrar. That in itself is not a bad thing - it is even proactive, given that the deadline for switching over is less than two months away. But in the middle of the email lurked problem number one - they had included a new userid and password for our account, in plain text. Already my antenna are twitching. Who would be so clueless as to send out an unsolicited email with credentials in it? SpamAssassin thought it was fishy, that's for sure.

I then go to their web site (not via any links in the email, but directly using their base domain name that I had already received from the national organization), and see a place to log in, so I do, using the credentials from the email. And that's when I notice the second problem. The login isn't sent over an encrypted HTTPS session. Just to make sure, I fired up Fiddler and tried it again and yup, I can see the unencrypted userid and password going over the wire in the HTTP request body. It isn't until later, when I click on the "My Account" link on their site that they switch to an HTTPS session, but at that point why bother?

So, needless to say as part of the process of migrating the site to a new hosting provider I am going to make a strong recommendation that the local organization I am working with changes domain registrars, too. Because frankly, I consider this technical cluelessness of the first degree and completely inexcusable.

No comments: