Fire Ant Security

As a customer of a large web hosting company I expect a certain level of security. With this assumption I used their web mail service for months without actually validating the level of security they offer for this service. One cloudy day I just happened to be looking through my browser history and what do I see? My username and password in the URL string.

HTTP://www.company.com/login.php?account=foobar@foobar.co.uk&password=Password1234

Absolutely astounded that in 2010 the password is sent as part of the URL clearly visible to anyone with access to the browser history I tweeted something like “#company = #securityfail password in the URL, please!”. With this now out there on twitter not knowing who might respond within minutes the web hosting company responded and asked that I email them my issue and they would follow it up.

With nothing to loose I wrote up a quick statement how SSL should be the standard and the password should never be in the URL I fired it off to the social media representative. With that done I went back to the daily grind forgetting that I ever sent the email.

Several days later I got a response from the social media rep stating that they had changed the code of the web mail system so that the URL does not contain the password. So here I am writing this blog post thinking that maybe social media isn’t a complete waste of time and that some companies do care.

As the for the security of the web mail system, they still don’t use SSL on the login page and the password is passed in the clear in the HTTP header. Web hosting provider…..must try harder next time.

So here it goes, a rant about bad website design. People, it’s 2010, why oh why oh why have you not sorted out your web forms.

So I regularly purchase stuff of the Internet so I am used to filling in web forms regarding payment details and I noticed that still to this day, some 20 years after the invention of the WWW, very few websites actually have intuitive web forms. The rest of the website is usually some flashy piece of work however I am still bugged the same issues.

Country
Why do you insist on giving me a list of 200 freaking countries to sort through. Do you think you could detect where I am browsing from and maybe auto-populate that in the list control, perhaps somewhere near the top? With the rise in geo-location software you can but you can’t be bothered. You don’t consider this part of the user experience. by the way, does anyone from Afghanistan buy from your website?

I Live in London London
This is one that annoys me the most. All you UK developers, I live in London, why on earth do you insist on me providing a county? London is not in any county. On a few occasions I have been restricted to putting my county in as Middlesex (technically the nearest county to me) just to purchase something. On other occasions I have to type my county in so I have an address of London London.

Please think when designing these forms and stop copying the same old shite that’s used everywhere else. Think intuitively, think independently.