THE Procon-SP Foundation started using the protocol HTTPS throughout its website, including in the Register to Block the Receiving of Telemarketing Calls, after a press report: the system launched in 2009 depended on unprotected connections for years, potentially exposing personal data such as address and telephone number. In other states, such as Rio Grande do Sul and Mato Grosso do Sul, systems to block unwanted calls still use HTTP.
The newspaper Now did the test: filled out the Procon-SP registration to block telemarketing, inserting data such as name, CPF, RG, e-mail, address and telephone. When using a program to analyze the connection, it was possible to read all the information sent.
The reason is simple: the site adopted HTTP instead of HTTPS, so the data did not use encryption during sending. It would be relatively easy to intercept the connection and steal that information.
The Internet Archive shows that this page for blocking telemarketers has been using HTTP since at least 2011. The system was launched in 2009 after the approval of a state law: residents of São Paulo can request opt-out of unwanted calls from any company, including operators, banks, finance companies and real estate.
Procon-SP responded by saying that, as of the second half of August, it would start using the HTTPS protocol on the telemarketing blocking site. Said and done: we note that https://www.procon.sp.gov.br/bloqueiotelef became the access link this Friday (16).
The agency adopted an SSL certificate from DigiCert and the page loads all resources via HTTPS, ensuring greater security. However, some adjustments still need to be made: Google Chrome warns that the site uses old technologies like TLS 1.0 and RSA key exchange; the browser recommends switching to TLS 1.2 (or higher) and changing keys using the ECDH protocol.
Other telemarketing blocks still don’t use HTTPS
O Do Not Disturb Me, created by Anatel’s determination to block unwanted calls from operators, was launched in July with HTTPS. However, it does not serve to bar calls from other companies, such as banks and real estate.
Several states offer online registrations for total telemarketing blocking, but many still use HTTP to receive personal data, instead of HTTPS.
We surveyed the anti-telemarketing records that do not use HTTPS connection:
Meanwhile, the states below adopt HTTPS:
The anti-telemarketing register of Federal District uses HTTPS, except in the most important part: in the forms that receive the login and registration data. It was launched in July and can be accessed at merespeite.procon.df.gov.br.
The state of Rio de Janeiro sanctioned in April a law that will create a telemarketing block record, but that still needs to be implemented. In turn, Mato Grosso analyzes a state bill about the subject.