This page contains a single entry from the blog posted on February 12, 2013 2:46 PM. The previous post in this blog was On hold. The next post in this blog is What, no streetcar?. Many more can be found on the main index page or by looking through the archives.

E-mail, Feeds, 'n' Stuff

Tuesday, February 12, 2013

Library security hole reported fixed

The reader who complained of a possible security weakness in the Multnomah County's new website writes to tell us that the danger has been averted:

I just wanted to let you know that your posting my concerns about the need to protect library patrons' personal information on multoclib.org has worked. The library web form pages I checked, including Email a librarian, Comments and suggestions, Account services chat, and Suggest a purchase, are all now employing the Secure Socket Later (SSL) protocol. This means that where users are asked to provide emails, phone numbers, library card numbers and PIN numbers, their info is protected.

I didn't hold out much hope after reading the library marketing guy's uninformed reply in the comments, but apparently someone who could do something about it was also paying attention.

Thanks for your help in getting this flaw fixed.

We really wonder if we had anything to do with it, but however it happened, we're glad it's been resolved.

Comments (1)

I also both called and e-mailed the library about this issue, making a strong case for the fact that no ssl indicators such as https were visible. I was less than thrilled with the final response from the library IT people but I took a wait and see approach. It's one thing to bluster about how safe it was (they did) another to actually see what, if anything, they did. One can act on that.

I haven't reviewed what changes have taken place, but it seems from this post, restoration of ssl has been done.

I should note that the person to whom I spoke took serious interest in my complaint, checking it for herself, came into agreement that at least, it was not obvious that communications were secure and took steps as well to get to IT about it.

Thank you all who acted on this information, and thanks Jack, for posting it here.

Clicky Web Analytics