TITN Security Concerns

[Quester]

As anyone who uses This is the Nuts is undoubtedly aware, they updated their website recently. It certainly looks a lot better. However, I have some serious concerns regarding security on the new site. I have sent them an email covering my concerns but received no response, so I feel it is appropriate to post here in hopes of generating discussion, and hopefully, change.

The old TITN site looked horrible, but the site was accessible using HTTPS instead of HTTP. The site had a valid SSL certificate signed by a root certificate authority. This means that if you accessed the site via HTTPS during the login process, your username and password was sent across the Internet in an encrypted channel.

The new TITN site lacks this security. When I emailed TITN shortly after they redesigned their site, they did not have HTTPS at all on the site. Now, if you browse to https://www.thisisthenuts.com, you will notice a few things:

1. They are using a self-signed SSL certificate, which is impossible to verify.
2. Your browser is redirected to this page: https://dw43.dns77.com/admin/login/L...2fDefault.aspx
Which appears to be an administrative login for their service provider.

Without proper SSL protection on their website, TITN is potentially exposing their customers to hackers on the Internet. It would be fairly trivial for an attacker to harvest usernames and passwords from the site during the login process using a number of methods. The attacker could use the information for any number of reasons.

The information about your rakeback account at TITN should be something TITN considers confidential, much as an online banking account or your account at your favorite poker site.

Please, TITN, correct your site so it uses a valid SSL certificate, so your customers can feel secure knowing their account information is protected.

We're all poker players, but this isn't a case where any of us should be willing to gamble.