Author Topic: (Rant and PSA) God No: How Not to Internet Security  (Read 482 times)

Today I went to file an application for a new job (Yes I'm still on that).

However, when I went to do so, I noticed something concerning.
I can forgive the company for offloading job applications to a third part. I've seen that before.
I can forgive the crappy 1998 web design of the third party's site.
What I can't forgive is the fact that they are exclusively using outdated, weak, and insecure encryption methods (TLS version 1.0 and earlier) to secure the channel they're using to transmit personal information including full names, work history, and even Social Security Numbers!

My personal site has far better security, and it cost me nothing to set it up!
There is no excuse!

Needless to say, I didn't apply for that job.
I sent a message to the email listed under the domain's whois, and I even contacted the home office of the company to inform them of the issue with the third party handling their employee's information.

A reminder to everyone:
Always check, before sending any personal information over the internet anywhere, that the page your using is not only secured, but secured using protocols that aren't horrendously obsolete.

(I will not point to the offending domain, as I want to give them a chance to respond and correct the issue.)

good luck on finding a job i usually hate having to apply on a company's site on indeed jobs cause they usually use 3rd party websites that suck

(I will not point to the offending domain, as I want to give them a chance to respond and correct the issue.)
they aren't going to. they're just gonna laugh at you for being a dork

they aren't going to. they're just gonna laugh at you for being a dork
And what's worse is that I'm pretty sure there are next to no federal data regulations regarding handling of SSNs. Even Equifax, which was sued for doing just that, was mostly sued under the Fair Credit Reporting Act, which only applies to credit reporters. They were also sued under the Georgia Fair Business Practice Act 10-1-393.8 which states that:
Code: [Select]
(a) Except as otherwise provided in this Code section, a person, firm, or corporation shall not:
[...]
(2) Require an individual to transmit his or her social security number over the Internet, unless the connection is secure or the social security number is encrypted
but unless the state OP is in has a similar protection, what they're doing is literally entirely legal.

The EU's GDPR was created to help prevent just such issues, however due to the fact that the company is based exclusively in the US, and the US generally lacks any similar legislation, it's not required of them to provide the proper protections to their users.

US data protection laws are forgeted.