Tags |
|
|
Links |
|
|
Digg It - Submitting Secure Information From Unsecured Pages
Using SSL encryption to secure information is server and client processor intensive, not to mention that the process can significantly slow the presentation of pages to your visitors. Not surprisingly, s
According to USFDA, a combination product is one composed of any combination of a drug and device; biological product and device; drug and biological product
ome webmasters have instituted an underhanded method to avoid the entire problem by placing sensitive information such as login/password inputs on home pages that are not SSL encrypted. The general progr
; or drug, device, and biological product and fixed dose combination would include two or more combinations of drug.
Examples of combination products may in
Examples of combination products may in
mming concept seems to be that since the login/password information is being submitted to a HTTPS encrypted page, the data secure. Well not so fast.
Using my sector, web site monitoring, I decided to f
Using my sector, web site monitoring, I decided to f
lude drug-coated devices, drugs packaged with delivery devices in medical kits, and drugs and devices packaged separately but intended to be used together.
rst check and see how prevalent this practice actually is. Out of 12 sites checked, 10 (or 83%) provided login/password inputs on the home page. Clearly this practice is widely used within our sector.
T
T
here is enormous increase in the number of combination products entering the market in the recent years. Combination products have proven advantages but fixe
e next step was to determine if the login/password information of the 10 sites using this practice actually submitted the information to an SSL enabled page. Shockingly, nine of the 10 did not. A sniff
d dose combinations are still in the process of convincing regulatory authority on their advantages over the single ingredient formulations.
Combination pro
Combination pro
er (HTTPLook by BinaryAge Software) was used to confirm this as shown below. The results were confirmed and indeed nine companies employing this practice transmitted information in clear text across the
ucts have become life saving products for the pharmaceutical companies who doesn’t have many innovative molecules in their product pipeline and have been inc
internet.
POST /User/clients-login.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, ...
Referer: (blanked out to protect the guilty)
Accept-Language: en-us
Content-Type: ap
POST /User/clients-login.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, ...
Referer: (blanked out to protect the guilty)
Accept-Language: en-us
Content-Type: ap
easingly used in the product life cycle management. Even the companies having product patents are trying to extend their product life cycle through the combi
lication/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; ....
Host: (blanked out to protect the guilty)
Content-Length
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; ....
Host: (blanked out to protect the guilty)
Content-Length
nation products and maximize the revenues. But the companies involved in this practice are overlooking that they are burdening the patients both economically
54
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: Dana-Net=CookieEnabled=YES; ASP.NET_SessionId=123
Action=Login&Name=test&Pwd=test&Submit.x=23&Submit.y=5
Why would a business put th
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: Dana-Net=CookieEnabled=YES; ASP.NET_SessionId=123
Action=Login&Name=test&Pwd=test&Submit.x=23&Submit.y=5
Why would a business put th
and physically. They need to rightly judge the benefits of the combination products and they have to even look at the risks involved when combining the produ
emselves and their customers at risk by employing a practice that clearly makes sensitive data vulnerable to a man in the middle (MITM) attack? Were the companies attempting to save a few dollars by not
ts. Some of the combination products were well accepted by physicians while others suffered. Companies involved in development of combination products are fi
installing SSL server certificates? Was this just a “convenience” so customers could save a mouse click, or was this just implemented incorrectly?
Attempting to answer these questions, I first appended
Attempting to answer these questions, I first appended
ding difficulty in defining their combination products and facing various challenges from selecting a combination to marketing it.
Following aspects would a
Following aspects would a
ttps://www to the 9 company’s domain name to see if their home page would display using SSL encryption. Two out of the 9 returned errors indicating no server SSL certificate was installed. Two others r
dd to the challenges in developing combination products:
Which markets to tap where the combination products can do fairly well?
Which combination prod
Which markets to tap where the combination products can do fairly well?
Which combination prod
turned errors indicating the certificates did not match the domain name. So 44% did not have SSL certificates installed or had certificate validation warnings displayed to the user. GoDaddy offers SSL c
cts are meaningful and rational?
Which therapeutic categories to select?
Which Combinations can address unmet needs of the patients?
Do combin
Which therapeutic categories to select?
Which Combinations can address unmet needs of the patients?
Do combin
ertificates for $19.99 per year so it’s hard to imagine this practice is driven by cost. Not a comforting thought.
Having a site visitor input his/her login/password from the home page for example, is c
Having a site visitor input his/her login/password from the home page for example, is c
tions increase the patient compliance?
What would be the developing cost?
How to tackle the risks encountered during combination product developmen
What would be the developing cost?
How to tackle the risks encountered during combination product developmen
early more convenient and does save a mouse click. The question becomes, how is a visitor to know if his/her information is actually being transmitted securely? Some sites reviewed actually used graphic
t?
As combination products don't fit into the traditional categories of drugs, medical devices, or biological products, the USFDA is in the process of devel
As combination products don't fit into the traditional categories of drugs, medical devices, or biological products, the USFDA is in the process of devel
and verbiage to indicate customer data was being transmitted securely, when in fact it is not. Short of reading code, or testing with invalid information, a site visitor would not know. This is a larg
ping new procedures for reviewing their safety, efficacy and quality.
Professional from academic institutions, pharmaceutical industries, health care indust
Professional from academic institutions, pharmaceutical industries, health care indust
blow to user confidence to save a mouse-click in my opinion.
So what about the company that actually uses this practice, and does indeed submit to a HTTPS page? Based on HTTPLook, the process is secur
So what about the company that actually uses this practice, and does indeed submit to a HTTPS page? Based on HTTPLook, the process is secur
y and representatives from various regulatory agencies are working out to design the regulatory requirements for manufacture and sale of combination products
e and the information in encrypted. If you desire to submit secure information from unsecured pages, it appears it can be done securely if implemented correctly. However in doing so, you place visitors
.
As there is an increasing trend of the combination products companies manufacturing such products should be able to tackle the problems involved in the de
As there is an increasing trend of the combination products companies manufacturing such products should be able to tackle the problems involved in the de
n the unenviable position of trying to determine if your site correctly implements security. For that reason, I would strongly suggest avoiding this practice. If you’re still not convinced this is a bad
elopment. They need to be wiser in analyzing the market trends and the regulatory requirements.
Companies that provide selfless information through particip
Companies that provide selfless information through particip
ractice, repeat my steps with your bank, credit card companies, brokerage firm, or favorite online website. You may find yourself shocked, outraged, and an evangelist against this practice. I know I was
tion in industry events and feedback to regulatory authorities would be able to face the challenges and will be successful in developing combination products
HTTP = HTML link (for blogs, profiles,phorums):
<a href="http://www.diggit.org.ua/article/84086/diggit-Submitting-Secure-Information-From-Unsecured-Pages.html">Submitting Secure Information From Unsecured Pages</a>
BB link (for phorums):
[url=http://www.diggit.org.ua/article/84086/diggit-Submitting-Secure-Information-From-Unsecured-Pages.html]Submitting Secure Information From Unsecured Pages[/url]
Related Articles:
Time to Kick the Procrastination Habit
Give Your Online Business A Super Boost.
Power Blitz: 3 Market Strategies
Bookmark it:
|