uCertify's homepage is in the clear - use separate /login.php page instead

Cert Poor · July 2017

As most of you probably know if you are a customer, uCertify's homepage is http-only. Even manually typing in https will be forcefully redirected back to http. This means that if you authenticate via the homepage, your credentials will be sent over the Internet in the clear, which is a no-no in 2017.

Workaround: Always only use https://www.ucertify.com/login.php to authenticate.

I have contacted uCertify and my expectation is they remediate this ASAP. It shows either incompetence or laziness or a blatant disrespect for one's customers for a company to offer plaintext authentication from their homepage (or anywhere on their site, for that matter).

I'll update this thread as I get more updates.

Edited to Add: The support team replied to my e-mail in about one hour and forwarded it on to the technical team. This is all on a Saturday night! So far, I'm very impressed with the customer service.

Cert Poor · July 2017

Take back what I said about good customer service.

uCertify wrote:

Hi,

Our technical team has checked the issue reported by you and confirmed that our shopping cart page is secured.

Please refer the screenshot:
https://www.screencast.com/t/USEveJ76

Also, we want to let you that our technical team is working on the homepage to get a secure page. However, your personal data will not shared with anyone.

If you are still facing problems, please send us the screenshot of the error so that we can investigate the issue.

Sincerely,
[First Name]

[First and Last Name]
uCertify Care Team

*facepalm*

Do people know what a Strawman argument is? It's when your opponent puts words in your mouth and invents an argument that you never even said ("knocking down the strawman") and declares it some kind of victory. Nowhere did I say their e-commerce shopping cart is over http. Nowhere. My entire point was that authentication over their HOMEPAGE is in the clear and that's what needs to be fixed so that our credentials are encrypted as they traverse the Internet. If attackers get our password, not only can they hijack our purchased content, they can also purchase MORE content if our credit card details happen to be saved.

This is all common sense. I don't even know why they brought up the shopping cart response.

Furthermore, it further confuses me that they say "However, your personal data will not be shared with anyone." Do they not know how the Internet works? There are two endpoints, the customer and uCertify, Inc's web presence. But everyone in between is a potential attacker who can do whatever they please with a customer's personal data. In other words, it is out of their control as an endpoint to say that our personal data will not be shared with anyone. Like, that's not even what we're talking about.. It's common sense that uCertify won't share our data. That's not the concern with plaintext http communication. The concern is that there is no assurance that the thousands of middlemen between us and uCertify (whether in coffee shops, our ISP, etc.) will be just as virtuous and trustworthy.

This person has a foreign-sounding name. So maybe they just straight up don't understand English? I just get confused at what's so hard to understand in my initial comment to them that would 1) cause them to use the Strawman argument and change the subject to their e-commerce shopping cart being secured (nobody was disputing that, dummy), and 2) the cluelessness at saying that our personal data will not be shared, which tells me they have no idea WTF they're talking about.

I might stick with CBT Nuggets, TestOut, and others with giving my money and business.

uCertify's homepage is in the clear - use separate /login.php page instead

Comments