Posts Tagged ‘security’

How *not* to run a business public web site –

2015-12-03 07:26:18 PDT

Egad, yuck, what a negative experience.

Here, folks, a set of examples of how not to run a business public web site – at least not if one wants to be successful and set a good impression.
All these examples from within the last 12 hours (and very little interaction with the site to encounter all these issues and problems):

  • Do a major site transition with radical jaring changes, blast out an email to all your users of the old site that they should login to the new site and activate their account on the new site, and do this just before or right at the beginning of a scheduled maintenance outage … yes, they actually did that – jeez, what idiots (NARS – I think “Not A Rocket Scientist”). So, the user experience? – haven’t used the site in months or more, get this email, go to old site (hey, who knows if the email is legit – it was sent from new domain, not old), old site redirects to new, new … yeah, it’s down for maintenance – planned scheduled maintenance – ugh … idiots. So the new user experience is new site that’s 100% down when visited (at least for the first half hour or more). This also fails the “high availability” criteria – such sites should be high availability – not to mention their other idiocy.
  • At least security sensitive stuff should generally enforce https, or at least support it. And yes, also with valid good strong SSL certs. and their ilk/history generally blows it. So, at some point, became, and highly recently, became My login information I’d saved, was still for … whatever, go to, redirects to, redirects to down for maintenance page. Retry some hours later … and look a bit more closely. – certificate expired (like what, they can’t spend the $10.00 USD per year or so or can’t even bother?). So, if I ignore the expired cert bit, I then find it’s also incorrect cert – the site cert is not for, but for Not okay, whatever, so they suck, blow through that and see what’s next … I find both and do a 301 (“permanent”) redirect – drops the https when redirecting from https. Yet another screw up. So, let’s pick up at – egad, idiots! – yet another cert error – the cert on that site is for, not for So, if we blow past that error, their next idiocy – surprise surprise, yes, they redirect again, but this time only 302 – “temporary” (like what, they’re really planning to bring back after they’ve already effectively announced their killing of it?) – but not only that, it redirects from https, again to insecure straight http … on the site. And if you go to their login/sign-in page … it’s http … though one can manually force it to use https, but everything on their site defaults to http, and often links back to http, not https.
  • So, finally login on their site and … Do a rough, disruptive transition. became – whatever – not sure how long ago that was, and then highly recently, became Everything that was good/unique/interesting with (and possibly also – not sure when that change was) is gone (quite unique question/answer forum & community, etc.), and it’s all been replaced with yet another dating/matchmaking site – pretty much an wanna be – at least as far as I can tell – but a much more stupid, limited version thereof – basically a half-hearted attempt … well, really, not even anywhere close to half, … more like 5 to 10% effort – if even that. A sucky poor version of what they apparently wannna be, and they dropped everything that was relatively good with what they are. Yep, that’d be a way to kill a business and be stupid and tick off customers/users.
  • So, what the hell, on the site, haven’t logged in in a long time, … not even sure when I last changed password on site, … let’s change password – and, bloody thing defaults to http – so manually force it to https. So, navigate to the password change section, paste in old password, and new password and a second time for confirmation, click the CHANGE button and … nothing. WTF? Click it a whole bunch more times … nothing. Did it change it? Hell if I know. Let’s check. Logout. Try login with new password, it fails – and they also so very unhelpfully and misleadingly, give a message that they’ve emailed me a link to instantly log in – bloody hell, the password change didn’t take, *and* they send me in clear plaintext unencrypted email a URL to instantly login – I requested no such email – after all, that’s what the dang “I forgot my password” links are for, right? But I’d clicked no such link. Whatever, I try the login another time or two – same damn message each time about it sending me an email … oh, which by the way they sent no such emails – so they’re not even consistent with what they say. Bloody heck. So, … try old password again … it authenticates. Try the password change exercise a few more times – each time, same results. Yet another time with the password change interface … and I eventually figure out if one pastes the data in the fields it ignores it – damn friggin’ idiots. Don’t they know smart secure folks use password management, and pick good strong secure passwords, and typically don’t type the damn passwords in? E.g. a typical password of mine might look like yflflwx0)7+CvT0t7y*g … oh, and “of course”, would be different for every friggin’ site, account, etc. – you don’t think I actually memorize and type all those in, or even manually type ’em every time? Now, if my password was something stupid like “secret” and I used it on every friggin’ site, maybe I’d type it … or program it into a hot key on the keyboard or such … but I’m not that stupid nor insecure. Anyway, so, have to actually type the passwords in – or, well, at least the last character of each string – bloody annoying … anyway, do that, and looks like it finally takes it – even has one of those “password strength” indicators – okay, so that very last bit not exactly bad. But then [insert drum roll] click the CHANGE button and …: Internal Server Error – Read The server encountered an internal error or misconfiguration and was unable to complete your request. Reference #3.4d42ddc2.1449152193.16f5aa53 UGH! You gosh darn idiots! Sites ought be able to take secure passwords – that means at least arbitrary ASCII printable characters plus [space] character, and if not arbitrary length, at least quite long – e.g. preferably at least 20 or more characters, and preferably quite a bit more than that (some folks use quite long passphrases), and certainly don’t limit it to something quite short (e.g. limiting to 8 or fewer is generally quite bad), and if one has some specific limitations – e.g. can’t take certain characters, or only allow certain characters, or has some minimum, or maximum, or must have some other construction rules, then preferably state those restrictions up front before one enters new password (like before one has bothered to pick or generate one that doesn’t satisfy the site’s limitations), but if one can’t do that, at least after rejecting a password, state exactly why – if one can’t state the limitations up front, at least state the limitations upon rejection. But bloody hell, don’t just friggin’ outright fail. Idiots. That generally indicates flawed – and often vulnerable code. Oh, geez, and with password input – a security sensitive area? Trust these guys? I wouldn’t trust ’em any further than I could spit ahead of me in a 100 MPH headwind. What a crap site.