Imagine if Gmail was unencrypted… like Ebay

Update 03/07/2017: https is starting to appear on webmail but http still seems to work in places and until it is removed and cookies are secure, it is probably best to avoid using Ebay.
Ebay mocks Data Protection laws by sending emails over http. When its site states its email service is secure.

 

This is already illegal under Data Protection laws. It doesn’t even need upcoming GDPR: the way eBay describes their security means they are misleading users and even without GDPR, this kind of messaging system should be governed under laws like PECR.

eBay https security is vulnerable to attack from http

This problem is fixable by forcing session cookies to secure only and upgrading to https with hsts to reduce the risk of this problem returning.

I tested this against http://ebay.com instead of http://mark.ebay.com (made using an /etc/host entry to localhost and a SimpleHTTPServer) and a request to that works too. However, I’m on a shared network  (at Fosdem) and pretty sure they don’t want me to run Wireshark on their wifi, so can only demonstrate it using copy as curl from Chrome to show the cookies sent plaintext.

ICO has no powers over webcams

ICO published a letter to Webcam manufacturers… well you don’t have to pay much attention to it if you are one.

Dell decided to break https encryption on their laptops by installed a vulnerable root certificate.

If you run a business and store personal data, you must go through heaps of hoops to ensure you are compliant with data protection law. But the manufacturer of the server, network equipment and laptops you have to use has no requirements: so they can be as insecure as they like and you pick up the bill when the ICO chases down their breach.

Case Reference Number RFA0606701

I write in relation to your concerns about Dell’s new equipment security fault, about which my colleague has previously responded to you.

The DPA works by placing obligations on organisations that hold personal information. The DPA does not however place any obligations on the manufacturers of equipment that may be used for storing personal information.

The security requirement of the DPA (the seventh data protection principle) requires an organisation holding personal data to have adequate technical and organisational measures in place to protect the personal data (taking account of the nature of the information being held, the availability of technology, and the cost of implementing those measures).

As such, an organisation that has purchased Dell equipment subject to the fault for the storage of personal data may be contravening the DPA if they have failed to keep personal data secure as a result of their use of insecure equipment for the storage of personal data.

Dell is not contravening any requirements of the DPA by selling insecure equipment. The DPA does not, in any way, require suppliers of equipment to ensure their products are secure. The obligations arising from the DPA are for organisations using the equipment for the storage of personal data.

Because our powers are specific to the DPA there is therefore no punitive or other action we can take against Dell over its failure to sell secure computer equipment.