By James Cooley - December 05 2007 tags: ssl security

I recently changed my details for a policy using a company website - I hate writing or call centers as much as the next person. As a quick check I changed the URL from http to to https to see if they could handle it securely. [I will use example.com to demonstrate the URL.]

http://www.example.com/members/policy/modify_details.jsp

to

https://www.example.com/members/policy/modify_details.jsp
That was fine - why don't they just use https by default to give you some confidence in the process? Most websites don't even get that far. I then checked if https was used to submit the form. Fine. Next I changed the details and got the following URL
https://www.example.com/info/SecureServlet?action=sendWebFormMail
It looks like they email my details if the the form is submitted successfully. I may as well have submitted it without security in the first place :(

The problem is once you send your data electronically it is most probably emailed around. Who knows? A bank I was dealing with recently took my query. The person couldn't deal with the problem directly but told me there would be a delay while they emailed my question to a group in another part of the bank. That person would deal with my query once they read the email within 24 hours.

Email was not designed for sensitive data but common practice means all manner of data gets sent this way. It's a problem if you use the website or the call center. What can you do?