The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,360 other followers

List of “Plain Text Offenders”; hopefully someone publishes a list of https offenders too

Posted by jpluimers on 2016/10/24

This Plain Text Offenders site lists email screenshots of organisations sending back plain-text passwords they kept on file (According to Robert Love, Idera/Embarcadero should be on the list as well).

It is one of the most horrible things that can be done for a password.

Business and IT do many horrible things, so I really hope someone will start a similar site about SSL Labs F-rated domains. The ones that are so broken that they degraded their https to virtually plain-text http quality.

In the past, a notorious example of this was Embarcadero, who in the past managed to get F-rating or had wrong configurations on the below domains, therefore preventing me from logging in and getting new products from them (which is far worse than them not cleaning up their bug database):

As maintaining proper security infrastructure is an on-going event, SSL Labs increase their rating criteria over time, so I wasn’t hold my breath, but currently mostare now grade C. Still not good, but good enough. Notable exceptions:

  • still doesn’t support https, though partners enter their credentials there
  • still had grade F for a long time for just one of the IP-addresses; that only recently got fixed so they are now grade B
  • cannot be checked by SSL Labs (as it uses NNTP over SSL), but is still very vulnerable

As lists more details, here are the results over time (I wish I had kept all of the older testssl output as gists, but back then I was getting the openssl binaries for SSL done and not realizing SSL Labs records would expire):




SSL Labs Grade F example

SSL Labs Grade F example


The Quality site was the least secure halfway 2016

The Quality site was the least secure halfway 2016

3 Responses to “List of “Plain Text Offenders”; hopefully someone publishes a list of https offenders too”

  1. KMorwath said

    I wonder if Embarcadero knows what GDPR is, and that it will be active from May 2018. Data breaches will be heavily fined, especially when they lead to the disclosure of personal information. Everybody who still uses Delphi and other Embarcadero tools, and sell in Europe, should start to assess how safe their applications are – because their customer will also have to assess it. Non compliance can be costly.

    Just, remember Embarcadero is the company that doesn’t give you sound encryption algorithms out of the box, hiding behind the finger of export regulations… I wonder how RAD Server is secure as well.

    But I’m sure syntactic sugar will get more attention in the next releases than security.

  2. Snorlax said

    Never too careful!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: