1. 47

  2. 30

    I agree that the page should be served over HTTPS. I’m not sure I agree that the lecture which followed was necessary. Yes, the person replying to his initial tweet didn’t get it. It’s clear that this individual does not understand the importance of HTTPS. But within 30 minutes, they offer to forward his concern to the technical staff. Within 24 hours, there are comments on this blog post that the page has been switched to HTTPS. This indicates that someone of those technical people, in the space of a workday, corrected the mistake. I’m not convinced that this incident is evidence (in and of itself) of anything more than a nontechnical person unwittingly deploying a customer relations strategy that is inappropriate for the situation. Yes, banks and other institutions handling sensitive data should not make these mistakes, etc. But, like Torvalds, I’m also getting tired of the sanctimonious, unwarranted lectures from the infosec crowd. Not everyone understands the importance of SSL. Making people feel bad about this only makes the problem worse. In an era where everyone needs the benefits of infosec expertise and technology, the infosec community has a real user experience and user relations problem.

    1. 18

      Wow, I didn’t realize this was fixed within a day. That changes a lot of things, this article can now be summed up as “I didn’t like the way the PR person for NatWest’s twitter account answered me”.

      1. 7

        It’s pretty insane that he expects some social media person to understand what he is on about and be able to reply instantly with the right info.

        1. 3

          Truth me told, I do. Social media people are supposed to communicate between users and the company so I would expect whenever there is a chance that a user is reporting something important to forward it to an internal tech contact at the company. If your contact people don’t do that, what is their purpose? Pure marketing? Then don’t answer customers at all on these channels.

          (And I do think that deploying HTTPS within 24 hours is actually pretty good within a big organization, so they do seem to employ competent people)

          1. 1

            I’m sorry you feel this way. I can certainly pass on your concerns and feed this back to the tech team for you Troy? DC

            They passed the feedback to the correct team. In my opinion, the social media people did their job at this point. It isn’t their job to understand what he’s saying, it is their job to pass the information to the right people. Apparently it wasn’t phrased well enough for this guy though.

      2. 7

        Just to play devil’s advocate:

        • what about the 4 month old XSS vuln mentioned towards the bottom of the article, reported by @huykha10?
        • their rushed-out fix now has problems of its own with mixed protocols, bad certs, and still no upgrade-insecure-requests

        I side with you in that public shaming isn’t helping how people feel about properly implementing security, but it sure seems like it took someone making the news before they leapt into action.

        1. 2

          You’re right - it’s not as simple as they fixed it in a day. There is additional evidence of incompetence and not all of it seems to be simple ignorance. I’m not defending any of their sloppy security practices, including those in your list. At some point, publicly shaming them is a reasonable way to seek the desired outcome. I just don’t think it should be the first step. Tone is very hard to read on the web; to me, the author’s tone indicated that he assumed the worst from the start. It seems like many people now use accusative tweets to threaten public embarrassment as a way to quickly get what they want. The result of this routine, reflexive public shaming is a culture where people are afraid to admit what they don’t know or don’t understand. If the goal is to have a population that values security, I would guess (without any data) that it’s more effective to treat the uninitiated kindly and save the shaming for those who willfully and maliciously disregard well-established social norms (of information security or whatever else).

          1. 1

            Thanks for the response! I totally agree with you.

            I’m also guilty of being flip sometimes when frustrated by something that I can’t get traction on. It’s tough to continue being helpful and polite when faced with a lack of ownership for an issue that you yourself can’t fix.

      3. 9

        What do you expect talking to a PR person on twitter about hypertext transfer protocols?

        1. 10

          I’d expect them to be SOMEHOW trained to identify dangerous activity, especially if money is involved. Banks really need to be at the front line of IT security.

          1. 4

            Indeed, everyone in the company I work for receives security training, not just technical people, and we have about 20k employees. One of the primary red flags is anything that doesn’t use HTTPS. Ignorance of security practices is not an excuse when you work for a bank, no matter what position you are in…and if the bank is not providing their employees this training then I would wager they have very serious flaws in many other parts of their organization. Especially and most dangerously, flaws that are invisible to the public. This type of behavior and attitude with their public website is very telling of what nastiness likely lies below the surface.

            1. 4

              I’d expect them to be SOMEHOW trained to identify dangerous activity, especially if money is involved.

              Hmm. I wouldn’t say so. To be honest everybody has a different field of expertise, and I wouldn’t blame a PR person for not knowing IT security “basics”.

              The person didn’t react very well, but definitely did the right thing of transmitting the issue to the relevant dpt.

          2. 6

            The main thing I got out of this is that Troy Hunt doesn’t understand how large organizations work and is a bit of an a**hole.

            I feel his way of handling this is akin to opening a ticket on Amazon’s Github page to return an item I purchased off their website, and then writing an article belittling them when they don’t immediately handle it.

            Sadly, I think the real explanation is that he’s being deliberately obtuse to drum up publicity for his website…

            1. 2

              To their credit, somebody at NatWest realised what was going on and they have now promised to fix it: http://www.bbc.com/news/technology-42353478

              1. 1

                It’s a bank. It’s 2018. It’s HTTPS. The tech department is the one who designed an HTTP landing page in the first place, so the social media person’s offer to pass along Troy’s concerns is not likely, in of itself, to result in an HTTPS landing page.

                I think of Troy’s campaign as a public education tool. Not only for companies who are employing poor security, but for customers of those companies. It’s as a result of reading things like Troy’s discussions with companies, and the companies’ responses, that I understand why these things are important to me. And it makes it easier for me to look for security issues with other companies’ sites.

                Not sure you could call this publicly shaming. Troy is saying, hey, this happened. How NatWest feels about that is up to them. I would hope that NatWest would feel committed to reshaping a tech department that would build an HTTP landing page in 2018. And I would hope that every tech department at every bank would read that article and double-check that their site doesn’t have those problems. In 2018.

                I remember having a private discussion with a financial institution who had similar security issues with their site. I had been educated by a post on a security website which discussed some of the security flaws seen in a lot of companies’ websites. Some of the flaws listed matched the flaws on this financial institution’s site, and I sent the financial institution the link to the post. The discussion I had with the institution was less than satisfactory.

                I think that if I had been able to send that financial institution a link to a site discussing the media attention that such flaws can generate, I might have had a more satisfactory discussion with that financial institution.