HTTPS only works if you use it.
Coinbase is an online bitcoin exchange backed by $106M in venture capital investment. They’ve got a strong HTTPS security posture, including the latest ciphers, a 4096bit RSA key, and advanced features like browser-preloaded HSTS and HPKP.
SSLLabs grades Coinbase’s HTTPS deployment an A+:
This is a well-secured site with a professional security team.
Here’s the email they just sent me:
Let’s run the MoarTLS Analyzer on that:
That’s right… every hyperlink in this email is non-secure and any click can be intercepted and sent anywhere by a network-based attacker.
Sadly, Coinbase is far from alone in snatching security defeat from the jaws of victory; my #HTTPSFAIL folder includes a lot of other big names:
It doesn’t matter how well you secure your castle if you won’t help your visitors get to it securely. Use HTTPS everywhere.
-Eric
Update: I filed a bug with Coinbase on HackerOne. Their security team says that they “agree” that these links should be HTTPS, but the problem is Mailchimp (their email vendor) and they can’t fix it. Mailchimp offers a security vulnerability reporting form, delivered exclusively over HTTP:
Coinbase isn’t the first service whose security is bypassed because their emails are sent with non-secure links; the Brave browser download announcements suffered the same problem.
Time for companies to dump the monkey.