NRMA insures Internet Explorer users

It’s official, NRMA, an Australian insurance company, won’t give you a quote for travel insurance unless you use Internet Explorer.

NRMA insures Internet Explorer users

Personally, I find this discriminatory. I’m not sure if there are laws to protect potential customers from discriminatory behaviour (there are if you’re a potential employee, and might be if you’re an existing customer).

I did the neighbourly thing and sent a message to them using their feedback form and will update this site if I hear back from them.


Leave a Comment

WebEx takes credit cards insecurely!

A colleague of mine just tried signing up for a WebEx service. When he got to the “Please enter billing and credit card information” section, he noticed a funny symbol in the bottom of FireFox: firefox_partially_secure.png

This symbol means “partially secure” and we got to wondering why this came up. Now I’m not sure this is the reason, but here’s the worrying thing we discovered:

Click the image for the big picture. What you can see there is the form information as displayed by the Web Developer Toolbar, and if you look at the top left of the form, you’ll see it’s submitting to http, which means your credit card details are being sent without encryption!
Needless to say, my colleague did not complete the process and WebEx may have lost a sale.

Leave a Comment

Queensland Holidays

I entered a comp to win a holiday in Queensland a few months ago and got a promo email today. At the end of the email was a "follow this link to unsubscribe" link, and I did just that.

Now usually, that will take you to a page that says "You're unsubscribed". At worst, it might ask for my email address (although that information could have been passed to the page from the link in the email).

This site, however, decided that it would ask for an email address, and then send me an email with instruction on how to unsubscribe!

I just got this email:

Hi Ben,

You have requested to remove your subscription from the Queensland Holidays mailing list.

To confirm your request, please visit this link within 14 days.

This message was automatically generated by the Queensland Holidays mailing list.

I was half expecting to follow the link and be asked for my email address again, but luckily it just told me my subscription has been removed. Phew!

Leave a Comment

Friends Reunited

Friends Reunited Password

Friends Reunited show your password in clear text on an insecure (HTTP) page.

I emailed them to tell them I was concerned, and was reassured (unfortunately I can’t find the email any more) that the page was perfectly safe, as you’d need my password to get there in the first place.

I replied to tell them that the password was being displayed clear text on a page that had not been secured with an SSL certificate, and hence the whole HTML page was probably cached on a number of servers in-between (such as my ISP’s). No further response was forthcoming.

Leave a Comment

A new site was born

I’ve been seeing a few too many sites that annoy me recently. I’m not talking about ones that don’t render properly in my browser of choice or have awful design elements. I’m talking about those that use, or have applied for, software patents. I’m talking about sites that don’t have stong security mechanisms in place.

Software Patents

I’ll probably write a more detailed description of what they are, why they’re bad and just don’t work later. For now, suffice it to say that they are bad, and I won’t use anyone’s system if they entertain ideas to the contrary.

There is only one way I could accept software patents, and that is if they are applied for and then released to the public domainfor anyone to use. This would stop someone else from applying for a software patent and using it for evil.

This is a real pain in the neck. My first example shows my password in plain text on a web page that isn’t secure.

Other security issues are sites that send you your username and password in the same email. Or those that email you a password, and your email address is your login name. Passwords should never be sent in clear text. Ever!

Am I perfect?

Hell no – I’ve done these things, and they’ve come back to bite me. This is why I’m so aware of why they are bad things to do. Everyone makes mistakes and hopefully learns from them. I hope to pass this knowledge on to you, the reader, and hopefully also the owners of the websites concerned.

I’ve not stopped learning, and hope to learn more through running this site. I welcome submissions from anyone – check out the Submit a Shameful Site page for more details.

That’s all for the first post…

Leave a Comment