writes in RISKS 21.86
> Kaiser Permanente has a Web site for members at http://www.kponline.org/ .
>
> The first page here is the signon page, where one enters a medical record
> number and their region to enter the site.
>
> A statement concerning online security ... indicates in the first
> paragraph that the medical record number will be sent via SSL:
> ...
> However no SSL connection is possible. Every attempt to obtain a secure
> connection gets redirected to the non-secure page.
It's not *quite* this bad. True, if you try to go to
https:/www.kponline.org, you invariably get redirected back to the
unprotected page. However, the ACTION part of the sign-on form points
to https://kponline.kp.org/signon/signonmember, which is SSL-protected.
All further interaction with the Kaiser site after signing on appears
to be through SSL via kponline.kp.org.
But they make the same mistake mentioned by Skip La Fetra earlier in the
same RISKS digest: the medical record number is transmitted in the URL. So
Kaiser's claim is incorrect; the medical record number is not protected by
SSL.
Once you've registered, you need a PIN to sign-on, and that *is* sent via
SSL, so the PIN and the rest of your session apper to be reasonably well
protected. But in order to *get* a PIN, the only "authentication" data
required (besides the record number) is your full name.
I guess if you're a Kaiser member you should register on this site before
someone else does it for you.
George C. Kaplan, Communication & Network Services
University of California at Berkeley 1-510-643-0496 gckaplan@ack.berkeley.edu ["George C. Kaplan" via risks-digest Volume 21, Issue 88]
0:00
#
G!
