List of “Plain Text Offenders”; hopefully someone publishes a list of https offenders too
Posted by jpluimers on 2016/10/24
This Plain Text Offenders site lists email screenshots of organisations sending back plain-text passwords they kept on file (According to Robert Love, Idera/Embarcadero should be on the list as well).
It is one of the most horrible things that can be done for a password.
Business and IT do many horrible things, so I really hope someone will start a similar site about SSL Labs F-rated domains. The ones that are so broken that they degraded their https to virtually plain-text http quality.
In the past, a notorious example of this was Embarcadero, who in the past managed to get F-rating or had wrong configurations on the below domains, therefore preventing me from logging in and getting new products from them (which is far worse than them not cleaning up their bug database):
- members.embarcadero.com (the logon site for regular users)
- tp.embarcadero.com (the partner site which does not allow for a secure means of logon)
- quality.embarcadero.com (the site where to post bug reports and enhancement requests, replacing qc which had no https as all)
- community.embarcadero.com (the replacement of the forums server which like the original is down a lot of the time) which for a long time defaulted to http login at http://community.embarcadero.com/login (hopefully it doesn’t do that any more).
- forums.embarcadero.com (which has been revived after the old forums server was down more often than it was up)
- edn.embarcadero.com (the developers network server containing articles and information)
- store.embarcadero.com (buying things)
- www.embarcadero.com (the main site)
- embarcadero.com (the mail servers;via ssl-tools.net as SSL labs doesn’t support MX)
As maintaining proper security infrastructure is an on-going event, SSL Labs increase their rating criteria over time, so I wasn’t hold my breath, but currently mostare now grade C. Still not good, but good enough. Notable exceptions:
- tp.embarcadero.com still doesn’t support https, though partners enter their credentials there
- http://www.embarcadero.com still had grade F for a long time for just one of the IP-addresses; that only recently got fixed so they are now grade B
- forums.embarcadero.com:563 cannot be checked by SSL Labs (as it uses NNTP over SSL), but is still very vulnerable
As testssl.sh lists more details, here are the results over time (I wish I had kept all of the older testssl output as gists, but back then I was getting the openssl binaries for SSL done and not realizing SSL Labs records would expire):
- Rob’s Technology Corner: Ideara / Embaracdero is flushing away user trust in their ability to do secure computing.
- I’ve been telling Embarcadero for years that their security is sub-par.
Examples are plain-text login over http; https that is as insecure as http, web-sites showing content in the wrong language and so forth.
Keeping passwords in non-hashed form so they can be decrypted to plain-text is a sin beyond comprehension.
The really sad thing is that I’m not surprised.
Seems my Delphi days are coming to an end even sooner than I thought…