I am by no means a security expert or a hacker, nor a digital voyeur. But if you and I found ourselves in the same Starbucks together, you settled down with your eight dollar caramel macchiato and using your iPad opened up WebMD, should it be as easy as merely tapping open an app on my phone in order to spy on you to see if you’re looking up treatment options for hep C and borderline personality disorder? No, it shouldn’t; but it is, and yet it doesn’t have to be.
Given that it would be out of my reach to do that to you if WebMD would simply get with the program and provide for, preferably force, encrypted use of their website as Facebook, Google and many others do, and given that it’s well within WebMD’s reach to do that without much investment, why the hell don’t they? I think the answer is because most people have no idea how much of their Internet activity is unencrypted and how easy it is for the bad guys to read your unencrypted data. There’s just no demand pressuring WebMD to do this (or Bing), so they don’t bother.
But that don’t make it right.
Hey WebMD, your users aren’t looking up movie showtimes, this is sensitive medical information that needs to be kept private. Don’t put their data in the wind like this. Do the right thing and tell your web guys to force SSL across your entire site.