I am going to purposefully leave the details of this post fuzzy because I don't want the company I am writing about, which I've never done business with before and hence don't know how they receive technical "concerns," to come after me with some bogus DMCA charge. Instead, I am just posting it to both of my blogs as a parable.
am an unpaid, volunteer webmaster for a certain local non-profit. Our
web site has been hosted for free for years by a national non-profit who
also provided low-cost domain name registration. Recently, the national
organization decided that the web hosting and registration business was
not part of their core mission (and their reasons make sense - it's a
PITA to deal with, but I understand why they're doing it). They
recommended some providers to take over the web hosting part and as a
convenience have contracted with a domain registrar to take over the
domain name side of things. It is with this latter company that I have
the following complaint.
Today I was checking my junk folder and
right before I emptied it I noticed a "From" address that rang a bell.
It turned out to be a "welcome" email from the new domain registrar.
That in itself is not a bad thing - it is even proactive, given that the
deadline for switching over is less than two months away. But in the
middle of the email lurked problem number one - they had included a new
userid and password for our account, in plain text. Already my antenna are twitching. Who would be so clueless as to send out an unsolicited email with credentials in it? SpamAssassin thought it was fishy, that's for sure.
then go to their web site (not via any links in the email, but directly
using their base domain name that I had already received from the
national organization), and see a place to log in, so I do, using the
credentials from the email. And that's when I notice the second problem.
The login isn't sent over an encrypted HTTPS session. Just to make sure, I fired up Fiddler and tried it again and yup, I can see the unencrypted userid
and password going over the wire in the HTTP request body. It isn't
until later, when I click on the "My Account" link on their site that
they switch to an HTTPS session, but at that point why bother?
So, needless to say as part of the process of migrating the site to a new hosting provider I am going to make a strong recommendation
that the local organization I am working with changes domain
registrars, too. Because frankly, I consider this technical cluelessness
of the first degree and completely inexcusable.