- Where is there any assurance that all of the staff at NetIDme have been subjected to at least the same level of checks on the Criminal Records Bureau , as if they were employed at a school ?
There is no such assurance.
Why should any parent trust a commercial organisation which aims to build a database of "hundreds of thousands" of Children's online identities within a year, without even this level of assurance against "insider" attacks ?
- Why is there no use of Secure Sockets Layer version 3 (SSL) or Transport Layer Security version 1.0 session encryption either when filling in the sensitive personal details such as Nickname and Password during registration, or to protect the online credit card details, or for a child to actually log on to the service via the website ?
There is no SSL Digital Certificate installed on httpS://www.netidme.com webserver [184.108.40.206] !
Similarly there is no SSL Digital Certificate in operation on the corporate www.netidme.net [220.127.116.11] webserver either.
Given the sensitive personal information which is collected, and the usernames ("nicknames") and passwords which are transmitted in the clear over the internet, where they can be harvested and intercepted by malicious people or software on, for example , a school's local area network, or at the level of child's internet service provider, why has this simple, and realtively inexpensive, bog standard e-commerce precaution not been taken ?
SSL/TLS encryption, especially without a client side certificate installed in your web browser is not infaqllible, but it would go a long way to prevent the genuine NetIDme credentials from being stolen by anyone with physical access to, say, a school's local area network or to an unsecured home wireless LAN etc.
Does this mean that this validation is only being done in the client web browser and not on by the server side scripts ? Does this mean that there are potential SQL Injection attacks which would reveal some or all of the customer database ?
Remember, this is not just your credit card information which is being put at risk by this company, but also, if you are foolish enough to trust their service, the online safety of your children.
See the next blog posting for the continuation of this article