Sent this to Brad back in 2014; still not fixed.
-
Hi,
Beersmith is a great resource for home brewers. My friends and I have found it invaluable for our all grain batches. However, did anyone realize that the entire service runs over an insecure connection?
Registration is done over HTTP (not HTTPS), which could be fixed with a cheap SSL certificate. Fixing the application installed on client machines would require a little more effort, but worth it since most people use the same login information across sites. It would be really unfortunate if beersmith was ultimately determined to be the source of a breach at some other site.
I'd be more than happy to help...
-
Thanks,
This is in the security/privacy notice on the site. I'm far from the only one running an HTTP service - virtually all discussion forums online (for example) are not secured, and a lot of people are not running secure email. I could secure it but it causes additional challenges with the mobile version - its not just a matter of setting up an SSL key since all of the accesssing programs would also have to use SSL.
Cheers!
Brad Smith
-
Thanks for the quick response. Agreed that running an HTTP service is fine—beer recipes aren’t sensitive info…also agreed that changing the entire system over to SSL would be a pain. Maybe just look at securing the calls to Login.php and GetRecipes.php? That seems to be the least amount of work and wouldn’t require client-side keys (just an update to use a secure connection with PKI and signed cert validation instead).
Users don’t read security and privacy policies and to make matters worse, they reuse credentials across sites. Their gmail, twitter, or facebook account is now an online identity, used to verify access to a variety of other sites. So a compromise on a low-risk site like beersmith.com creates a cascading problem…it just doesn’t make sense to leave this security hole open.
