Brothers homepage is insecure

I went out and bought some new cloths the other day at Brothers and was asked if you wanted to become a member which I agreed to. A couple of days later a got a letter that urged me to sign up on their homepage.

This is what I found:

  • Their homepage is does not use SSL.
  • Their registration form sends all data over plain HTTP.
  • Their login function sends all form data over plain HTTP.

In my contact with the customer support I got a canned response that all card transactions are sent over encrypted channels, and that using encryption for the rest of the site was “in the works”.

So, I took the oppertunity to find out what company is hosting them (Telecomputing) and send their customer support and the operations manager an email pointing out the issue of running login and signup forms with potentially personal and private information over unencrypted channels.

Screenshots

Brothers registration code Brothers registration form

Written on April 5, 2016