This article is a continuation of The Pitiful State of the Web in May 2017 (Part 1) and a part of the Sorry State of the Web series. I and the others who contributed to the content of this series hope that web developers will learn from the mistakes of others and produce better quality websites.
Dakar: Language Issues and Insecure Login
Dakar Software Solutions is a well-known name locally, especially in the realm of payroll systems.
They had this little glitch with the language of dates in the news of their Dakinet product (which might be fixed now):
Also, Dakar joins the long list of websites that offer insecure login:
Insecure Login Galore
As you can imagine, Dakar is not alone in failing to transmit user credentials securely. We’ve seen a lot of these before, and we have a lot more to show here.
For starters, we have Freelance Malta. Since all of the site is based on insecure HTTP, the login form and both registration forms transmit credentials insecurely:
Then we have Gizmodo, the popular tech website:
KeepMePosted is a similar offender:
And then we have MyMoneyBox (part of the MFSA family), which given its name should know better about security. In fact, it seems to have now gone HTTPS, so the login is now secure. But as you can see below, it wasn’t until recently:
Couchsurfing: Invalid SSL Certificate
I recently caught the Couchsurfing blog giving invalid certificate warnings:
Oops. Looks like the certificate had expired.
Needless to say, it is useless to use HTTPS if it is not trusted. Fortunately, this issue has since been fixed.
Malta Police Force: Passwords In Email, Freedom of Information Link
The Malta Police Force website offers a number of services including filing a police report online. At the bottom of the declaration where you’re about to file a report, there’s a link to the Freedom of Information Act:
Unfortunately, it doesn’t work:
That error is actually coming from elsewhere on the government network (looks like it’s the Department of Information). Either the Malta Police Force need to fix their link to point elsewhere, or the DOI needs to fix a problem in their SharePoint system.
There’s something a lot worse, though. Some people have reported that when you file a police report, you choose a password, which is then sent to you via email.
This image was contributed by someone who actually filed a real police report. Aside from various spelling issues in the email, you can see that the password (obfuscated here for obvious reasons) is included.
This is something you always want to avoid because you can never assume that email is a secure channel on which to send sensitive information such as credentials or credit card information. Good practice is to let users choose their password over a secure channel (which the system reportedly already does), store it securely using a one-way hash, and provide the means to reset it using limited-time tokens in case the password is forgotten.
Rizzo Farrugia – Broken Link For New Equity
When new shares under the symbol “PG” were listed on the Malta Stock Exchange, Rizzo Farrugia were quick to add it to their own list:
However, they were not nearly as fast at creating the detail page that the listing links to:
No big deal there. It was fixed the next day.
PWC Refresh Form
PricewaterhouseCoopers has this newsletter signup form. It has a reset button. Something pretty normal, you’d think, until you see that it refreshes the entire page!
Form resetting functionality has been built into browsers since long before I started creating websites (15 years and counting). In this case, I see they wanted to reset the CAPTCHA. But they already have functionality to reset the CAPTCHA without reloading the page (the orange round arrow next to the CAPTCHA), so why reload the whole page just to reset a form?
IDPC: Line Spacing
The Office of the Information and Data Protection Commissioner has a form where you can submit complaints:
What I’d like to call out here is the questionable design choice of using massive line spacing, which is especially noticeable in the Complaint text area since about half of the tiny box is wasted with empty space.
Line Separator Characters
JobsPlus, whose encoding issues we have already visited in “The Broken Web of March 2017“, is now also exhibiting these weird LSEP characters:
It’s okay though. Perhaps they can’t sanitise their data, but they still get to keep their eBusiness Award!
I have also spotted the same problem at Creative Jobs:
Summary
Transmitting credentials insecurely remains one of the most common issues on websites today, and it is completely unacceptable. Depending on the nature of the user account, this might not be as risky as transmitting credit card details insecurely (something we’ve also seen in abundance over the past few months), but that does not relieve websites from their duty as data controllers to transmit sensitive data securely.
It is also important to test websites properly in order to identify broken links and data-related issues as we have seen.
Finally, secure transmission of sensitive data does not stop at using HTTPS. SSL certificates must be integral and trusted, otherwise it is just as good as not having HTTPS. Email is not a secure channel, so don’t use it to send sensitive data, especially if there exist alternative data flows where you don’t have to.