This will be the last article in the Sorry State of the Web series (at least for the time being). The idea was to learn from the mistakes of other so-called ‘professional’ websites, ranging from silly oversights to illegal practices. Hopefully, the silliness encountered has also made some people smile.
However, with 11 articles over 6 months, I believe I’ve made my point enough times over. Despite all the technological advancements, the web is in a state that I can call sick at best, and that is mainly the result of clueless developers. I have some slight hope that things may get better, but given that most of the issues I pointed out have not been addressed to date, that hope is realistically very slim.
From my part, I want to focus less on beating a dead horse and more on learning technology and writing high quality articles. I don’t exclude revisiting this series in future if I feel it’s worth it though. Once again, I extend my heartfelt thanks to all those who have contributed entries for this article and the ones before it.
Banif: Random Virtual Keyboard
If you think that the mainstream banks in Malta have terrible websites (and recently I covered how Mediterranean Bank’s newly launched online investment platform took them several steps back), then you should really take a look at Banif Bank Malta.
To log into their online banking section, you have to enter a username and a password. This would be understandable, if not for the fact that the password field is disabled so you can’t actually type into it. Instead, you have to click on keys on a virtual keyboard. To make matters worse, this is not your usual QWERTY keyboard: the key placements are randomised.
Let’s consider a few reasons why this is a terrible idea:
- It slows down password entry, both because one has to use the mouse vs the keyboard and because the random placement requires the eye to look for keys as opposed to using muscle memory. This makes it easier for people watching you enter the password to identify what you are actually entering, and it also makes you more likely to pick simpler passwords.
- People looking over your shoulder can easily see what key the cursor is on, which defeats the purpose of password field obfuscation.
- The restrictions on the password field are client-side and trivial to disable. This does no favours for server-side security, which should really be the main focus.
- You cannot use a password manager.
Since I’m not a security expert, I presented this case to the community at Information Security Stack Exchange. From there, I got to two related existing questions:
- What is the idea of passwords with random buttons position
- Does overlaying the mouse on a virtual numeric keyboard really protect against keyloggers?
It seems that the main reason why this horrendous technique is used is to counteract keyloggers, which at a basic level can’t track keypresses (since they are not happening) or mouse clicks (since the placement of keys on the screen changes).
However, as one of the best answers points out, this is merely an arms race between the bank and attackers. It’s a vicious circle in which attackers and banks take it in turns to step up their game. The end result is that customers are the ones paying the price, by having to deal with ridiculous security measures like this.
Dealing with keyloggers is hardly an excuse for this kind of rubbish. There are much more robust and orthodox ways of dealing with this sort of thing, such as one-time passwords or two-factor authentication.
One of the most common issues we’ve seen throughout this series is that of websites with login forms where the credentials are not transmitted over HTTPS. Thus it is not hard for them to be intercepted and read in clear text. Keeping up with tradition, we have a list of such examples this month.
We can start with American Scientist, which I see has since undergone a complete redesign and does currently use HTTPS for the whole website (including login). This is how it was just a couple of weeks ago:
Then we have the Malta Chamber of Advocates, which aside from very ridiculously presenting a homepage with no content whatsoever, is just another case of insecure login:
But wait! The next one, ironically, is from none other than Bank Info Security:
Then we have Great Malta (whatever that is supposed to mean):
Local newspaper The Malta Independent is no less guilty:
…and neither is Infobel:
In another case if irony, we can look at J. Grima & Co. Ltd. They are “Security & Fire Specialists”, but web security is clearly not one of their areas of expertise.
I was very excited (!) to come across Excitable Web, because it is a prime example of the clueless developers I was mentioning earlier. It is of little importance that each time you load a page, the page seems to render without CSS for half a second before rendering properly; because we’ll focus on more interesting stuff here. If you click on the “Who We Are” link, we get this:
You can see there are a couple of MySQL errors displaying directly in the page due to deprecated code. Such an experienced professional should know that server-side errors should never be displayed directly to the visitor, as this may reveal vulnerabilities among other things.
These errors seem to have been fixed since then, so we’ll move onto the next thing: the writing. It’s really generous of the webmaster to give us:
“A Breif [sic] Background On With [sic] Whome [sic] You Are Dealing With”
You can find other such gems within the content itself. Thank you, Adrian. Now we really know who we are dealing with.
For extra points, spot one of my own blunders within that screenshot!
Here’s a tiny oversight from Norwegian operator Flybussen. While their site has an English version, their calendar unfortunately doesn’t:
JobsPlus Going Below Minimum Wage
JobsPlus has by now become a regular in this series. Those who believe that we should have equal pay for equal work (which is a legal requirement, by the way) will be delighted to see this vacancy where the position advertises a salary range of between EUR4,500 and EUR70,000. What’s even funnier, though, is that EUR4,500 is actually below the minimum wage (another legal requirement) for a 40-hour full-time work week.
Legal requirements aside, this is just a case of missing validation by our award-winning friends at JobsPlus who should have a central role in avoiding precarious work and exploitation.
Kelly on Yellow Pages
If you take a look at the Yellow Pages entry for Kelly Industries, you’ll come to the conclusion that they have enough business to not give a rat’s ass about what potential customers think about their brand.
I’ve received reports about issues with the Malta’s National Centre for Creativity‘s payment processing engine, but I haven’t been able to verify them without actually attempting to make a purchase. However, I did notice this problem with the checkout button actually not being properly visible if you’re using a laptop (and thus a limited screen resolution):
For a National Centre for Creativity, I must also point out that they didn’t quite put a lot of creativity into the website’s design.
Another common problem we’ve seen throughout the series is that of using HTTPS, but serving some content over HTTP. This is called Mixed Content, and it invalidates the trust guaranteed by a fully HTTPS website.
This month, we have Malta Gift Service (also guilty of using Comic Sans for their main header):
…and our dear friends at Scan:
Apostrophes of Doom
Given that my surname contains an apostrophe, this often makes it a pain to deal with validation that unreasonably decides that an apostrophe is an invalid character. I’ve written about this especially in the original “The Sorry State of the Web in 2016“. There is no real reason to not accept apostrophes if you’re using proper practices (e.g. using prepared statements) to prevent SQL injection.
Unfortunately, Microsoft has decided that my surname cannot have an apostrophe:
I suppose I will need to remove the apostrophe from my identity card if I want to ever get a job at Microsoft.
The Piscopo Gardens website has been down for I don’t know how long due to some internal server error.
Aron isn’t doing a very good job at keeping the site up and running.
Swiss recruiter Robert Half believes that “It’s time we all work happy.™” (so much that a trademark was apparently filed).
That obviously doesn’t apply to their own website, which clearly doesn’t work if you enter “.net” in the search field:
Now I understand the name. Their website only Half works.
We noticed a couple of things on Ryanair’s website that are more sneaky practices than examples of bad web design per se.
First, there’s the newsletter checkbox that is opt-out rathern than opt-in (i.e. it automatically signs you up if you ignore it and leave it unchecked):
Then there’s this appeal to fear the middle seat:
Oh dear, not the middle seat!
Image credit: Taken from Wikipedia
Better to go for a team-building treasure hunt in 35-degrees-Celsius weather with a laptop on my back than be stuck in a middle seat! Actually, no. Give us a break, Ryanair.
I am happy to have managed to raise awareness about bad practices in web design with this series. I know this because I have heard several reports of companies that I have pissed off. I am a lot less happy that these companies have not really done much about it despite all this. That is their problem now. No doubt others have learned from the countless issues pointed out.
Let’s continue to make companies with a web presence understand that such a public face requires a high level of professionalism, and that they will lose business if they don’t step up their game.
Once again I would like to thank all the contributors to this series, and also the readers who have loyally followed it.