FTC commissioner demands web sites implement SSL for all sensitive data
I recently wrote about the Online Trust Alliance (OTA) and its recent report card showing poor performance in trustworthy practices among the nation's leading onilne businesses. That news calls to mind an incident of about a month ago, when the FTC's departing commissioner called on popular online services such as Hotmail, Yahoo, Flickr, Facebook, MySpace, and financial providers to protect 100% of their service with SSL, and not just login pages as is the common practice today. In her speech commissioner Pamela Jones Harbour stated,
Encryption technology is already built into every popular web browser, but here is an unpleasant truth. Many popular services employ encryption technology and only transmit initial log-in information, such as user names and passwords. All subsequent data is sent in the clear, unencrypted. This problem affects services such as Microsoft Hotmail, Yahoo! Mail, Flickr, Facebook, and MySpace. This practice exposes consumers to significant risks when they connect to popular cloud-based services using public
wireless networks in coffee shops, airports, and other public hot spots. Without encryption, user data is easily intercepted using freely available, off-the-rack hacking tools.
. . .
Many users of cloud-computing services lack the basic security protections that users of traditional PC-based software often take for granted. These vulnerabilities are easily preventable. Many web based services, including online banking and certain online merchants, operate securely over wireless networks. As a notable example, many banks in the financial sector use the industry standard Secure Socket Layer, SSL, encryption protocol to protect their customers' information. These encryption technologies are widely available, yet many service providers choose not to implement these technologies for all data transfers and instead continue to provide a product and services with unsafe default settings. Even though the service providers know about the vulnerabilities and the ease with which they can be exploited, the firms continue to send private customer information over unsecure Internet connection that easily could have been secured. And so, my bottom line is simple. Security needs to be a default in the cloud. Today, I challenge all of the companies that are not yet using SSL by default -- that includes all e-mail providers, all socialnetworking sites, and any website that transmits consumer data -- step up and protect consumers. Don't do it just some of the time. Make your website secure by default.
This speech itself came soon on the heels of Google's highly publicized decision to protect all Gmail content in SSL for exactly the reasons Commissioner Harbour mentioned.