Am I being overly zealous about “proper SSL implementation?
There’s absolutely nothing wrong with complaining, since they’ve consistently gotten it wrong. They may be a reputable company, but that doesn’t necessarily mean that their technicians know what they’re doing, or that they’ve properly been informed of the risks of certain page designs. My bank used to have a link on their homepage to the online banking logon page. The online banking logon page was SSL secured. Then they changed it so that the username/password form is included on the homepage, rather than a separate area. However, the homepage is not SSL secured. Attempting to visit it through HTTPS redirects you to the non secure version. The only way to log in securely is to enter a bogus username and password on the homepage, have it fail, and then you’re taken to a proper SSL secure page where you enter the correct username and password. I’ve yet to hear from them after commenting about the problems in their design.
Putting just one page on SSL and having a form on it submit to an https:// URL is a no-brainer, I’ve done it tons of times. Their admin is incompetent and you should be going up the chain to ensure that your data is handled securely and professionally. You could also start researching other collection agencies to present to your bosses as just an aside: “This shouldn’t be that difficult. Look, CompanyA, CompanyB and CompanyC all have secure submission forms.” Or something like that, optionally presenting them as alternatives to your current group of losers. Don’t worry about fixing this company so much as providing the company you work for with good vendors.
Make sure you use the phrase “off-balance sheet legal liabilities” when describing this up the chain. You absolutely need a new vendor, this company is gone. Sure the actual chance of them being hacked is low, which is what makes this difficult. You have a ton of liability if the system is is hacked, very little reward if it is not hacked (“it just works”). They don’t want to fix the problem because they probably don’t understand the problem. Don’t blame the admin on their end, there might be a very technical, complex reason they are not using SSL which usually boils down to them not having enough resources to fixing it since it “works” and no one wants to throw money at something that works. I would be surprised if this wasn’t upsetting some IT people on their side as well. That’s really a secondary issue. All the e-mails in the world won’t save your job if the data is comprimised, “I told you so” doesn’t really quite have that actionable ring to it that firing you does.
Packet sniffing is real, and very much a problem. Simply ask this – do they believe every person that works at your company, everyone on their network, and everyone that works for every ISP in the middle to be either entirely trustworthy or entirely IT illiterate? Because it takes all of 5 minutes to start ARP spoofing traffic on your local network with a tool like cain and abel even if you’re a tech moron. It’s even easier for your ISP to slap a sniffer on there. You might want to demonstrate how easy it is to sniff the unencrypted data, with prior permission of management. Ask if they’d be happy sending the same information through the postal system printed on the back of postcards, because that’s about the same security level as unencrypted http. You’re not paranoid, you’re being sensible. I don’t know what regulations cover the transmission of personal data in the US, but sensitive personal data in europe that gets handled improperly can lead to huge fines, big civil suits and in s
