Ethical question relating to unsecured forms...

[danlefree]

If a form appears on a server which doesn't even support SSL and is POSTing to a script on the same server directly (no call to any fancy Javascript encryption functions, just a plain old POST) it's pretty likely that information sent by a user submitting the form would be an easy target for interception at the user's network level.

I've seen a fair number of forms like the aforementioned, lurking on rental application sites, credit or background check sites, even the occasional credit card application site...

We all know they're out there - unsecured forms with fields like "Social Security Number" or "Bank Account Number". My question is, what do you do when you come across one?

[ADAM Web Design]

Depends on the info. If it's just an email address or something, I don't care, but if it's looking for name, rank and serial number, then I won't fill it out at all.

As far as emailing the webmaster, (s)he should know better than to set something like that up. As far as I'm concerned, when the webmaster ends up dealing with a liability issue and potential lawsuit from a customer, then the webmaster will learn.

I've learned from experience that, when I point out flaws without solicitation to do so, they get ignored anyway. So why should I bother wasting my time trying to help someone that will either ignore it or respond rudely anyway?

[danlefree]

Quote:

As far as emailing the webmaster, (s)he should know better than to set something like that up. As far as I'm concerned, when the webmaster ends up dealing with a liability issue and potential lawsuit from a customer, then the webmaster will learn.

I'm definitely with you on this aspect, however, it seems as though the "learning curve" for this kind of issue hasn't caught up with the internet-using public - people base their decision on whether or not to enter their social security information, credit card information, etc upon whether or not they trust the content provider (and upon whether or not they are interested in the product or service being offered in exchange for their information)

Notifying the content provider does presume that the content provider either knows and has chosen not to implement a secure form (in which case a rude reply might be expected) or does not understand how to implement a secure form (which, again, may result in a rude reply or being ignored) - I see this as an ethical question in the sense that there will invariably be some users who choose to make use of the form, and notifying a webmaster who was unfamiliar with securing the forms does offer the possibility that some action will be taken to correct the issue.