Troy Hunt: Lessons in website security anti-patterns by Tesco.
Troy Hunt: Lessons in website security anti-patterns by Tesco # MUST-READ analysis by somebody who gets it
Comments
2 responses to “Troy Hunt: Lessons in website security anti-patterns by Tesco # MUST-READ analysis by somebody who gets it”
-
There are *FAR* worse offenders, notably the internet dating company which runs many sites including “Seek A Geek”. Every time they send you an e-mail they helpfully send you both your username and password in plain text. Not only this but they also supply a link which automatically logs you in. How convenient!
Of course, this is a company which takes your credit card detail to charge you for the service and prides itself about the security in the Ts & Cs.
P.S. I wouldn’t suggest that you try creating an account to test this other than with a throw-away e-mail account as it’s impossible to unsubscribe totally or fully delete your account.
-
*Really* good analysis, that.
My own favourite bugbear (password format restrictions which prohibit the use of various flavours of well-considered password) gets a good airing. I’ve seen worse offenders, here; at least Tesco states what its passwd requirements are. The worst ones return an error that “passwds don’t match”, even if they do, if they contain characters they don’t like.
One thing which wasn’t mentioned at all, interestingly, was the nature and provenance of the SSL certificate. There’s whole further classes of fun to be had, in that neck of the woods. However, there’s many more major issues to be gone after here, and they are.
The mixed http / https and cookies observation is well made; my view is that it’s one of the attendant evils of http being a lightweight, stateless protocol. I’d have liked to have seen something more session-persistent alongside or incorporated, when http first came out; hopefully (and after a long wait) SPDY will be it.
Oh, and trace.axd is a completely new one, on me; I haven’t heard of it before. Maybe this is because they’re running on IIS – or, as it used to (and may still) be known in the great GNU tradition of self-referential acronyms, “IIS Isn’t Securable”.
Hats-off to Mr Hunt for writing this; I think I’ll be reading more from him, in future.
Leave a Reply