Straighterline security holes - no SSL/TLS encryption?!?!

[ryoder]

The credit card portion is likely hosted by a third party which is subject to pci-dss security requirements. The risk you are facing is minimal so I wouldn't sweat it.

[scorched]

I will only argue to say that they do store personal information, and for that they have a legal obligation to protect it. Luckily they don't store SSN and CC#'s because yes they do link to someone else for CC# or Paypal.

But it depends on their supplier link for PCI DSS compliance. If you chose paypal, sure they are level 1 compliance, but what if it's some cut rate company doing less than 1M transactions a year, then they only need to put ACL's to isolate the "pay" network from the rest of the systems. That's it for level 4, and level 3 not much tougher, both of which I have personally never once seen an audit for.

So I am going to stand my ground and say, they won't get any money from me until its SSL from login to logout, and as was mentioned its not that difficult, I was doing that stuff over 10 years ago when it wasn't so easy like today.

[ryoder]

PayPal is a customer of mine

[sirjason]

I agree with you on this. This is ridiculous that my Full Name, Address, Phone number, school name, and DATE OF BIRTH, are transmitted and entered in absence of SSL and in plain text to the site. When I signed up for the site and paid, I never noticed, but going back in and trying to make a new account, I notice this as well. In today's environment every sign up page and sign in page should include SSL. The funny thing is, the site is even equipped to handle SSL. Try going to https://www.straighterline.com/site/create-account.cfm or https://www.straighterline.com/site/login.cfm . It will open in SSL. However by default it loads in standard http without encryption. Why would a company be so careless about their customers personal information?

[scorched]

sorry to be argumentative. But going to https doesn't enable ssl if the server side doesn't support it.
I have attached a screenshot after going to the https, note the only links that https are to other sites, not SL.
quantserve.com
twitter.com
facebook.com
linkedin.com
and scanalert.com

even after logging, only these links stay https


NOTE: not sure why the image is so small, not sure if degreeforum use a fingernail type of option.. but i can PM the screenshot to anyone if they need to see it.

[StraighterLine Team]

Thank you everyone for posting your concerns. We are working on this issue but as you noted in a few posts above we don't store credit card or SSN on the site. Our shopping cart is SSL and all data submitted is protected. We will update everyone as soon as the "my account" pages have been updated with SSL. We hope to have this issue sorted out in the next few days.

Regarding the McAfee security - they test our site throughout the day for vulnerabilities (it is much more than just checking to see who is linking to our site as one user noted). If you see the seal on our site you are secure in transacting with our site. If the McAfee icon is not on the site they found a problem and alerted us.

Thanks again for pointing out the issues and we should have an update for you in the next few days.

[StraighterLine Team]

We are happy to report that all the login and my account pages are now HTTPS. If you find any pages you think should be HTTPS but are not let us know.

Thanks again for sharing your concerns and we hope our updates have confirmed for you our commitment to our students.
Good luck with your courses.

[scorched]

Responded to your PM with some feedback.