Surprise, the DISQUS login/registration to post a comment on TechCrunch's article about this "gaping security hole" also sends your password in plaintext.
I don't know why this is so surprising, 99% of the websites and apps I see don't use SSL for login, even HN doesn't. It's good that this issue is getting more attention, but to specifically call out Instagram for it makes it seem like what they're doing isn't the industry norm.
Looking at the TC comments it seems like a lot of people are confused by the difference between sending your password in cleartext, and storing your password in cleartext, although I wouldn't be surprised if they're storing your tumblr and foursquare credentials in the clear.
Everyone assumes that this is just a "oh they should add an s to http:// issue.
If your iPhone application uses SSL, it becomes subject to US export restrictions on encryption.
Apple is the vendor of the apps, and is based in the US, so every app is subject to these regulations. Apple specifically asks if your application uses encryption when you submit it, and if so, some apps end up having to get U.S. government review and approval for sale outside the US before they can be added to the market.
It's really not that difficult to get certified for export as a mass market crypto product. We did this for SpiderOak years ago. Took about an hour and I think a small fee.
Also requires sending the NSA the source code, but we're shipping easily reversible Python anyway, so hardly a concern.
Seriously? Passwords sent in the clear?! Why are simple security measures so far down on people's list of things to implement when launching a new product/company?
Virtually everything flying around the network is unencrypted. Even if Facebook turned on SSL for the whole site, if I see you sitting next to me and can find your e-mail address, I just have to request a password reset and wait for your mail client to pick up the plain text email with the reset link. Either encrypt your whole connection or accept that you're secure enough because nobody is really listening.
Kinda like all the TSA articles floating around, you're not safe because someone's groping everyone before they get on the plane, you're safe because nobody was trying to get something onto the plane in the first place.
Firstly that alerts the person to the breach, because you have to change their password - which isn't true of a session hijack.
Secondly how are you getting the mail? I haven't been able to access my able without SSL for years and I lock my screen everytime I leave it + never leave my phone hanging around.
Thirdly would you even know the email address I used? I use a different one for each site.
Surprise, the DISQUS login/registration to post a comment on TechCrunch's article about this "gaping security hole" also sends your password in plaintext.