
Ask HN: Liability due to lack of SSL - stevenhubertron
I have family member who sells stuff online. As part of his checkout experience he asks for CC info as well as SSN info on a HTTP website. I am trying to explain to him why this is bad, but he doesn&#x27;t really care. What can I say to him factually that might help him make the investment in SSL (and not storing PII in SQL db) for that matter.
======
fredkbloggs
I would focus his attention on the possibility that his card processor will
cut him off for violations of their agreement. This would result in large-
scale loss of business and it may not be easy to arrange for a new processor
on short notice. Keep his eyes on the money.

I would not bother with a technical explanation of any of this stuff. He
doesn't care, and bluntly it's not particularly easy to point to major
compromises in which the lack of SSL played a key role. Most of the time, data
is siphoned out of "PCI-compliant" shops that do use SSL, and they get it
through database compromises and/or compromised POS terminals. MITM doesn't
seem to be worth the effort, if only because the other stuff is so easy and
yields so much data.

Nor would I bother talking about PCI. Most of their requirements are silly and
do little or nothing to prevent exposure of PII or fraud. What matters to him
is the agreement with his processor, not some 4000-page document that wants to
tell you how to take a piss.

Eyes on the money. No processor, no business, no money. Keep it simple. If
that doesn't do it, you've done your part and should walk away. It's not your
problem.

------
techjuice
Unless he is a government, insurance, credit card, bank, real estate
organization he should not be asking for a SSN online or storing it unless
they are for his employees or the transactions being conducted requires
notification to the IRS or the transaction is subject to the customer
identification program rules. Either way PII like this should be securely
stored offline.

For Credit Card information it has to all be transmitted and stored in an
securely in accordance to the credit card merchant agreement he has agreed
too.

The HTTP protocol is not secure, when your family member is hacked or audited
they may be liable for many civil and criminal charges.

Have them read all the information for PCI DSS compliance -
[https://www.pcisecuritystandards.org/merchants/](https://www.pcisecuritystandards.org/merchants/)

You have done your part by advising him about the risks, privacy concerns and
how bad it really is. Either way it is ultimately a risk he is accepting for
himself and the business which he will have to deal with the consequences when
something bad occurs in the future.

If he needs proof of how bad the decisions he has made can be, point him to
many of the recent credit card and government organization breaches.

~~~
stevenhubertron
I should clarify that it is for Real Estate, thus the SSN. That link might be
helpful.

------
SyneRyder
I'd say an even bigger question is, why is he even doing it that way at all,
and not using a service like Stripe, Braintree, Shopify or similar? They've
invested in polished checkout experiences, it's what they do, and it moves the
burden of PCI compliance, PII storage, SSL etc to the service. When Stripe
exists, why would you even go down the merchant account route anymore?

Scaring them with the bad stuff might not be effective, people don't react
well to being told they're doing everything wrong. Perhaps showing them an
easier solution that reduces their admin hassles & could potentially increase
their sales is a better way to approach this.

~~~
jtdowney
Both Stripe and Braintree require you to use SSL (really TLS) on your checkout
pages. They also both require you maintain PCI compliance (although you likely
qualify for a reduce set of requirements).

~~~
jordsmi
They 'require' it, but it is still possible to use the service without SSL. At
least it was possible on stripe a few months ago. I'm not sure if they end up
cutting you off after they notice the non ssl traffic, but I setup some test
apps that worked fine without ssl.

------
jeffmould
Beside the point, but why in the world is he collecting SSN numbers? That in
itself is more concerning to me than not having SSL. But that's just me. I
have had my identity stolen and know first hand how difficult, to almost
impossible, it is to clean up.

With that said, I do know that many states have strict laws regarding the
collection/use of SSN numbers via websites and/or for the sale of goods.

As for the credit card info, I believe most processors have in their terms
that SSL is required for live transactions. I was also going to point to PCI
compliance, but I am not sure how aggressive they are at going after the
"little guy". Although with credit card theft in the US being a hot topic
right now, I am sure anyone that is non-compliant will be a target for
violations.

EDIT: To add link, starting at Page 12 talks about various state laws
regarding SSN collection:
[http://www.gao.gov/new.items/d051016t.pdf](http://www.gao.gov/new.items/d051016t.pdf)

~~~
StavrosK
Can someone explain how identity theft is even possible in the US? I hear a
lot about it, but I can't understand how broken a system must be that makes it
possible for someone to steal your identity just by having one identifier.

~~~
danudey
Hypothetical situation: what do you do if you lose all of your ID (e.g. house
fire)? You have to start somewhere, and your SSN is a good choice.

You can't do it solely based on one single number, but in this case a data
breach would include name, address, credit card number, SSN, and probably
security questions. You can turn around and use that information to play the
part of a person to another organization, and then go from there. Combine that
data with social engineering, and you can get a lot of information about
someone and then use it in further attacks.

That's not to say the US's system isn't broken; lots of companies ask for (and
require!) the SSN even though they shouldn't. The problem is that it's not
just one identifier that holds the key to your life, but that the SSN is an
_extremely strong identifier_ which is _assumed to be secret_.

~~~
Filligree
Well, sure, but the government's information on you will also include...
parents, other family, a photograph of your face, and so on.

It should never be possible to do what you're suggesting, not unless the USA
is failing to collect that info in the first place.

~~~
schrodinger
stolen identity doesn't usually mean that someone has convinced a government
office that they are you, that would be a lot harder for the reasons you say.
It's more often someone having enough information to open a credit card in
your name and start using it, or take out a loan—things for which the
government is not really involved.

------
cmurf
The first thing I'd think of with a site asking for SSN is an active intent to
commit fraud: ID theft, or fraud. That's before SSL (which is obsolete anyway,
only TLS should be considered now).

The second thing, the fact it's http and not https suggests he's collecting
and storing this information, which is almost certainly a violation of his
credit card agreement with his bank. Credit card information is not supposed
to be stored, he passes that off through a secure connection with his
processing service, who will only do that through a secure connection, and he
gets a transaction ID and authorization and that's all he references from that
point on.

So this is less about SSL/TLS as it is, he's doing it all wrong. And it's
depressing that he's in business, only made possible by the ignorance of his
customers who actually agree to give him all of this information, and on an
insecure connection no less.

------
facetube
If a storefront on the web asked me for an SSN, HTTPS or HTTP, I'd probably
file a police report for the attempted identity theft. There's literally no
other plausible reason to collect that information, unless he/she is a
registered financial institution extending credit to people.

------
tchock23
There is also the case for a potential increase in his conversion rates as a
result of adding SSL.

Online shoppers I've observed in usability sessions often scour sites looking
for evidence of security measures (e.g., green EV certs in the browser,
various icons in the footer). This is especially true when you're asking for
something like SSN info...

If appealing to the desire for security of user info doesn't work
(unfortunately), appeal to his desire for more customers...

------
AndyMcConachie
[https://www.ftc.gov/tips-advice/business-
center/guidance/sta...](https://www.ftc.gov/tips-advice/business-
center/guidance/start-security-guide-business)

Read section 4 specifically.

------
brobinson
>I am trying to explain to him why this is bad, but he doesn't really care.

"You are losing sales. People look for the lock icon on the address bar."

Also, he can get SSL on his site for FREE in < 5 minutes using Cloudflare.

~~~
gojomo
Cloudflare may be a good option for him. But, the quick and free Cloudflare
SSL would still be non-SSL from Cloudflare to his site – an improvement
against many home/public-Wifi threats but not a total fix (nor true compliance
with credit-card agreements).

Also, for a totally non-technical person, it will take – and be billed as –
more than 5 minutes of someone else's time to get even that free half-measure
into effect.

~~~
brobinson
Good points.

That raises an interesting question: how could a person determine if the
connection between an edge (say, Cloudflare) and the destination server is
actually encrypted? I can't think of a way to do this unless you know the
address of the true IP of the destination and poke it on the SSL port. That
still doesn't guarantee SSL is being used, though.

~~~
gojomo
In general there's no way to know: you have to trust the destination's
internal choices, once you've reached their chosen perimeter.

In my opinion best practice would be to obscure what the "true IP" of the
backend server is, _and_ only accept connections from Cloudflare. (I don't
know if Cloudflare offers any options for this stronger than trusting their IP
ranges, such as a client certificate on their outbound-SSL.) So if you _could_
"poke [the true origin] on the SSL port", that could itself be evidence of
suboptimal security.

~~~
brobinson
>obscure what the "true IP" of the backend server is, and only accept
connections from Cloudflare

This is what I was planning to do when I launch the app I'm working on now.
Thanks for the reply.

------
stevenhubertron
So I dived in a bit more while I wait for him to call me back. It's a Magento
build using Autorize.net I haven't worked with Magento in years, but should be
really simple right. Set up some forwarding rules in Cloudflare to always to
go the HTTPS and of course the cert.

At least it isn't some guys backyard CMS.

~~~
rgbrenner
_Set up some forwarding rules in Cloudflare to always to go the HTTPS and of
course the cert._

Please do not do that. That doesn't solve the problem at all if the origin
server is still serving the content over HTTP. You're just lying to visitors
by making them think it's secure when it's really not.

Magento is like any other PHP app.. there's Apache (or some other webserver)
in front of it.. so just setup Apache properly.

------
detaro
[http://www.pcistandard.com/card-association-
fines/](http://www.pcistandard.com/card-association-fines/) might be a
starting point? (I don't know if it actually applies in this case though).

------
Too
Seriously? Do cc vendors allow any random home hacker to create collection
forms for credit cards. If I were visa I would at minimum have a checklist
that must be fulfilled otherwise the store get their license withdrawn.

