The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream




    More Photos
  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,757 other followers

List of “Plain Text Offenders”; hopefully someone publishes a list of https offenders too

Posted by jpluimers on 2016/10/24

This Plain Text Offenders site lists email screenshots of organisations sending back plain-text passwords they kept on file (According to Robert Love, Idera/Embarcadero should be on the list as well).

It is one of the most horrible things that can be done for a password.

Business and IT do many horrible things, so I really hope someone will start a similar site about SSL Labs F-rated domains. The ones that are so broken that they degraded their https to virtually plain-text http quality.

In the past, a notorious example of this was Embarcadero, who in the past managed to get F-rating or had wrong configurations on the below domains, therefore preventing me from logging in and getting new products from them (which is far worse than them not cleaning up their bug database):

As maintaining proper security infrastructure is an on-going event, SSL Labs increase their rating criteria over time, so I wasn’t hold my breath, but currently mostare now grade C. Still not good, but good enough. Notable exceptions:

  • still doesn’t support https, though partners enter their credentials there
  • still had grade F for a long time for just one of the IP-addresses; that only recently got fixed so they are now grade B
  • cannot be checked by SSL Labs (as it uses NNTP over SSL), but is still very vulnerable

As lists more details, here are the results over time (I wish I had kept all of the older testssl output as gists, but back then I was getting the openssl binaries for SSL done and not realizing SSL Labs records would expire):




SSL Labs Grade F example

SSL Labs Grade F example


The Quality site was the least secure halfway 2016

The Quality site was the least secure halfway 2016

One Response to “List of “Plain Text Offenders”; hopefully someone publishes a list of https offenders too”

  1. Snorlax said

    Never too careful!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: