Monday, May 12, 2008

statcounter follow-up

so how do you feel about cleartext passwords over inet? anyway, this is a followup from my other post about statcounter passing creds in the clear after you hit their page via SSL... the rub of it is that SSL is up and functional for processing creds, they just don't use it.

so i mailed em, and here's what they said:

As far as the general member log in is concerned, a secure connection is not generally used - our view is that the information in your StatCounter account is not "critically sensitive" in the same way as your online bank account would be. In addition, we have never had a case of anyone's log-in details being stolen.

Basically, since we provide a free service, we have to analyse everything on a risk return basis from the perspective of our members. The extra cost of providing secure log in facilities in terms of increased hosting costs etc would reduce the level of service we can provide to our members and tha vast majority of our members are happy with the system as it stands. This is the thinking behind our position.

The service we provide, however, is 100% driven by our members. So if a large portion of our members voiced their concerns to us in this regard, then this is something we would have to implement.

i think that bit at the end is very cool. kudos for being willing to listen to your user base. so i wrote em back w/ this blurb, and haven't heard anything in a few days:

I completely understand that there is a cost benefit analysis that must be done in regards to any security measure. You do provide a nifty free service, and I'm grateful for it...

My main disagreement w/ the crux of your response comes from the fact that you already have SSL infrastructure in place. You clearly have the capacity to handle the current amt of people who hit https://statcounter, although I'm sure most users probably hit http:// instead.

I have never hosted a site, so I can only speculate, but it seems that the increased cost of doing an HTTPS POST for users who explicitly travel to the HTTPS main page would only moderately increase the amount of bandwidth hitting your SSL devices (considering that most users probably hit HTTP by default).

...

[if you] do your login POSTs as cleartext HTTP, then you should just disable the HTTPS site entirely, because it is wasting money and bandwidth by encrypting the public site and not protecting user credentials...


what do you think? do you use the same username and password for accounts like this? or do you have a different password for every site you visit? do you bother to check if you're on SSL when you're logging into a site? are we worried about sniffing anymore?

1 comment:

Jens "jdm" Meyer said...

Yeah, you know how I feel, and that is cool of them to at least indicate that they listen to their user base. But you're right, it doesn't make a whole lot of sense to have an SSL homepage and not use it. I guess we'll see what they say.