No SSL encryption Movescount.com?



  • I bought a Traverse maybe a year back and started down the road of trying to use SA. That hasn’t panned out as it seems the Traverse is not going to be really supported by SA. So a month or so back I decided I would try to use Movescount for a trip I had to Europe where I wanted to plan some routes. Anyway, after a few initials issues, I managed to get Movescount working on my Pixel 4 and started syncing a few activities. Anyway, I haven’t been using the site much, but today I wanted to check out the tracks from a ski tour I did this last weekend, and I see that Chrome is telling me Movescount.com isn’t using SSL. Is this true? I mean I have personal data and location data on the site, so it needs to use SSL. Also, was this change recent or did I just not notice it the few times I’ve used the site? I just emailed support, but someone please tell me this is user error and I’m just misunderstanding what’s going on. The is really the only option I have left to use this watch and I can’t use it without SSL.

    ssl.png

    Rob


  • Moderator

    The sign in seems to use SSL, the rest may be not for what I can see from outside. Disclaimer: never used MC, don’t have an account.



  • Yes, it does use SSL for login, but it’s really poor security practice to have the main site with personal data not use SSL. Even if there is no form input, an attacker could inject code to that site to trick a user into input information and GPX files being downloaded without SSL means there is personal location data being moved int clear text. Anyway, thought I’d ask. I’m pulling all my data off the site now.



  • I verified that when downloading your GPX/FIT/other formats, files they are sent over HTTP as well:

    downloadNotSSL.png

    Anyway, I deleted all my moves and called support and asked them to delete my account. This is a big issue and your files can easily be sniffed using freely available open source tools. At the very least, don’t access this site on any kind of public wifi. Your data is in the open.


  • Community Manager

    Movescount is going away so I suppose this will be solved in a way.



  • Yeah I guess so, but in the meantime I have no good solution to use my Traverse. Personally, I’m not ok with my precise location data being exposed. A lot of my day rides start from my house, so that’s my exact home location. I’m surprised that Suunto is willing to take the risk of a major data breach on like this. I’m sure there’s some kind of regulations in various countries that they are not compliant with. Oh well, it is what it is. I’m crossing my fingers on routes and POIs using SA. I could be satisfied if I had those. 🙂


Log in to reply
 

Suunto Terms | Privacy Policy