SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Enthusiast
    Join Date
    Jul 2000
    Posts
    65
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Legal issues of having an insecure mortgage website

    I am curious about what legal implications there are for a website that has an expired SSL certificate.

    I recently came across one and informed the proper authorities, but no action taken yet.

    The website asks for all types of personal information such as social security number, finance information, etc.

  2. #2
    SitePoint Addict MBScott's Avatar
    Join Date
    Oct 2002
    Posts
    261
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Look on the FTC's website. Somewhere I have some files on that....

    Basically, they are putting at risk client information, although I suspect they are using encryption, they just need to pay their fees.

    Missy
    Attached Files Attached Files

  3. #3
    SitePoint Enthusiast
    Join Date
    Jul 2000
    Posts
    65
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So even if the site says "SSL Expired" in the padlock icon it could still be secure?

  4. #4
    SitePoint Addict MBScott's Avatar
    Join Date
    Oct 2002
    Posts
    261
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes... just because the cert is expired (I've seen self-signed certs that worked, but weren't valid) doesn't mean the encryption doesn't work.

    Missy


    PS... this doesn't make it right

  5. #5
    SitePoint Wizard silver trophy
    beley's Avatar
    Join Date
    May 2001
    Location
    LaGrange, Georgia
    Posts
    6,117
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    The encryption will work if it's a legit certificate. The validation process is to ensure that it is indeed legitimate and is working properly. Most self-signed certificates work perfectly fine, there's just no "checks and balances" in place. Most people like having a third party verify the security of their transactions, which is why commercial SSL certificates are so popular.

    Are there any legal implications? I doubt it. If you get a notice that the SSL is potentially insecure and enter sensetive information anyway, it's your decision and the consequences (identity theft, etc) are yours. I don't see why the company should be held liable because you knowingly submitted insecure information across a form.

    That's like knowing there's a hole in a condom and still using it despite the glaring warning signs. Ummm... no thanks

  6. #6
    SitePoint Addict MBScott's Avatar
    Join Date
    Oct 2002
    Posts
    261
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You said:
    Are there any legal implications? I doubt it.
    But there are. The FTC covers it:

    The Gramm-Leach-Bliley (GLB)
    Act requires financial institutions to ensure the security and confi-


    dentiality of this type of information.


    NOW... the cert might WORK, meaning the info might be encrypted even though they have an expired one. However, it's not good business practice. It is up to the financial institution to protect the consumers... it's not the consumers' burden to make sure their info is secure.


    For example... I've had mortgage institution clients that wanted the info emailed to them. There is no way for the end consumer to know HOW the broker gets the info submitted, but emailing it would violate the GLB Act.



  7. #7
    SitePoint Wizard silver trophy
    beley's Avatar
    Join Date
    May 2001
    Location
    LaGrange, Georgia
    Posts
    6,117
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    I never said it was good business practice. They have an SSL certificate... it's just expired.

    I can't find anything about securing the transmission of information:
    http://banking.senate.gov/conf/grmleach.htm

    Are you sure about what exactly the act covers?

  8. #8
    SitePoint Addict MBScott's Avatar
    Join Date
    Oct 2002
    Posts
    261
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, I'm sure about what the act covers. Rather than reading the headings, the entire GLB act is huge, and the section to read is titled "Privacy"

    http://www.ftc.gov/os/2002/05/67fr36585.pdf

    The GLB Act gives power to eight different bodies for enforcement, the FTC being one.

    This thread has the proper attachement, called safeguards.pdf that the FTC puts out to help financial institutions comply with GLB Act.

    Missy

  9. #9
    busy Steelsun's Avatar
    Join Date
    Mar 2001
    Location
    Houston, Tejas; Future Capital of the World
    Posts
    2,474
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sarbanes-Oxley might also cover it (they seem to be stretching that to cover just about any corporate info idea you can think of)
    Brian Poirier
    SunStockPhoto: Stock Photos, Fine Art Photos, Event Photography


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •