{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 beautiful° 的问题《Security - is it ok to send a username and passwor》','https://www.manongdao.com/q-518422.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
We are an organisation who have purchased a system which is used by doctors to view test results of patients (quite sensitive information). Being a programmer, I have poked and prodded with the system and found that it submits the username and password via a HTTP GET request. On the domain it is run on, all computers are set to bypass the proxy, so the URL with the request won't be saved in some proxy log somewhere. But I would argue this is an unsafe way of handling username and passwords anyway.
The vendor will argue that since we never asked for it, it will be an 'enhancement' which will require additional $$$. (We never wrote the specifications for the system in the first place).
What kind of case could I make to management to make them feel this isn't to standard and that probably the only way this system would be secure is through HTTPS?
EDIT: Thanks for all your responses! I have raised the issue with the project leader, her response was along the lines of "what's HTTP?". So I plan to explain it all to her in better detail, investigate the legal implications and try to raise the issue with the programmers directly asking why they went that path. I will also try and explain the situation to other colleagues who don't have any direct involvement but may be able to have some influence on the matter.
Was this custom software or something used by others? If the latter, consider joining or starting a user group representing all those who use the software.
You have two issues here, one technical, one contractual (and hence legal). I would not be asking for legal advice on Stack Overflow.
The technical answer is obvious - these guys that did your system are clowns, since they left a gaping security hole in it.
Legally, it's going to depend on which country you're in (I notice you're from Brisbane so hello from the other side of the country). Many will have medical and/or privacy legislation which may have been violated so that's one thing to check for. The HIPAA laws that others have suggested looking into are US only; we may have an equivalent in Australia but I'm pretty certain privacy laws here in Oz could be bought into play.
Similarly, you need to look over the contract (whether you drafted it or not, I'm assuming you (or your predecessor) signed it otherwise there's no obligation on your part to pay them at all) to see if privacy was a requirement. Even if not, a competent lawyer could argue that it was an implicit requirement.
You may well have to suck it up and pay the extra money - I've worked for some big companies and they tend to lay off all responsibility for anything not listed in the deliverables to the client (this is usually written into the contract). If your vendor is a competent one (in terms of business rather than client satisfaction of course), they will have done exactly this.
But first, contact a lawyer for advice. They're scum-sucking bottom feeders :-), but they are the people who will know what to do and they are best able to examine the contracts and advise you of the best options open to you. I used one about 10 years ago to get out of a car contract that I could no longer afford and, even though it cost several thousand dollars, that was much better than the alternative.
Unless they're frequenting SO, the advice you're going to get here is either skewed to the technical side (best case) or downright dangerous in a legal sense (especially since it'll be mostly based on US law). Not wishing to advertise for lawyer types, I do know you can find one here.
Best of luck.
Usernames and passwords should never be sent unencrypted across the network, so insist on HTTPS for at least authentication. My preference would be that the username/password only be accepted via POST (so that it doesn't appear in the URL at all), but you could conceivably encrypt and encode the password so that it could be put in a GET request. I can't envision any reason why I would do this instead of a POST.
[EDIT] As others have indicated, if you have patient-related data, you may need to encrypt all communications with the server. If you are in the US, I would urge you to look into the HIPAA regulations to see what if any apply here with regard to securing the data, especially subsection 164.306 of the Privacy Rule (PDF).
A good way to make your case is to grab a relatively technical (or bright) manager who'll understand if you show them a live ethereal trace of a login (look! here's the password for user: MrGreen. What, don't believe me? Here try it yourself!).
Only do this without asking first if you trust and know the manager, else just talk to him about this and if he doesn't believe you, ask for permission to show. If he doesn't grant it, you could point to this question or other online resource. But if they don't care, you're out of luck, I'd say.
Do the live trace, explain simply what you did (anybody on our network can do this, it's just as easy as installing this program). Afterwards explain that it's almost free to get encryption going on the system which would prevent that and that the application barely has to be modified in the least. And that it would have the benefit of transmitting everything encrypted so the records would be a lot safer as well.
Then leave that manager to take care of the appropriate permissions/budget approval/whatever.
And the only sane way to fix it overall is indeed using POST (to fix the password being sent in the URLs) and HTTPS.
What worries me the most is that people who send plaintext passwords over the network will probably have many other security flaws.
Even when using SSL, please remember that when usernames and passwords are sent using GET, they are included as part of the URL.
This will mean that any server logs will contain the usernames and passwords as part of the logging process. Therefore you will need to secure these logs, or at least prevent the logging of the query string.
This is true, except for one subtle point, that the username & password, depending on how the system is designed, may appear in the browser window's address bar.
At the very least, I think they should POST that information to the server.