[Med-privacy] "Your information is secure" (RISKS)
P. Marshall
techdiff@ix.netcom.com
Mon, 27 Aug 2001 15:45:29 -0700
Date: Tue, 21 Aug 2001 19:23:53 -0700
From: identity withheld by request
Subject: Kaiser Permanente
There's a self-service section on the Kaiser Permanente (an HMO) Web site at
http://www.kaiserpermanente.org/ that allows you to notify them of a change
of address. In bold letters next to the submit button, it claims "Your
information is secure!". Sounds good. Checking View Source showed the form
was being submitted over SSL. Ok, let's submit the information. A few
minutes later an e-mail arrives. No encryption. Ouch -- it contains a
verbatim copy of the personal information I typed into the form. So much
for "Your information is secure!".
Why bother breaking SSL flows, when you can just watch the e-mail?