Security

Superbalist’s Not So “Super” Security

UPDATE (December 5, 2016)

So I thought I would revisit this issue today by having a look at Superbalist’s website.

I can happily confirm that Superbalist’s website now defaults to SSL-enabled HTTP connections. YAY!

Out of interest, I thought I’d take a look at their mobile apps…

I fired up my local web proxy and had a look at the traffic generated by the Android app.

Long story short, Superbalist’s Android app does not encrypt any customer authentication data sent to their servers.

Here’s a screenshot of my web proxy inspecting the user authentication request:

superbalist-android-no-ssl

 

So it would seem that lightning CAN strike the same place twice.

Maybe I can make it a hat-trick by having a look at their iOS app…


Following on from my previous post, I thought I’d have a look at one of Takealot’s subsidiaries, Superbalist.

I tried accessing https://superbalist.com but I got 302 redirected to http://superbalist.com – so much for browsing securely…

I then turned my attention to their login modal (see Figure 1).

superbalist-login-modal

Figure 1. Superbalist login modal (popup)

I tried entering in a random email address (test@test.com) and password (test). I received a revealing response from their server (see Figure 2).

superbalist-password-incorrect

Figure 2. Revealing response from server

So what is so revealing about the server response? It’s telling me the password is incorrect. So what, right!? But look at what it’s not telling me. It made no reference to the validity of the email address. This suggested that the random email address I entered was valid. I needed to know if this was indeed the case, so I tried another very random email address (see Figure 3).

superbalist-email-address-check

Figure 3. Email address validation

My suspicions were confirmed when the server responded with “The email address does not exist”. I re-entered the “test@test.com” email address and no error message was displayed.  I knew then that I had unwittingly discovered a valid login email address. This could be used as a means to check if a given email address is registered on the website. This may not be a critical issue, but this is valuable data for a malicious user i.e. hacker.

Now for the really interesting part: form submission.

It is important to have all user authentication fields (in this case, email address and password) transferred over an encrypted connection. Since the internet is a public network, there’s no guarantee that your “in transit” information will be kept private. It is essential to keep sensitive information encrypted to ensure confidentiality and integrity. Generally speaking, encrypted connections will have URLs beginning with “https://”. Non-encrypted connections typically have URLs beginning with “http://”.

Looking at the source code of the login form revealed that Superbalist seem to be sending the login credentials over a non-encrypted connection. Looking at the blue highlighted line in Figure 4, it’s clear to see the destination URL of the form (http://superbalist.com/users/login) begins with “http://”.

superbalist-form-source

Figure 4. Superbalist login form source code

Opening up the Developer Tools window in Chrome confirmed the request URL begins with “http://” (see Figure 5). The remote address also ends with “:80”, which means the connection is on port 80 of the web server, the default port for non-encrypted web traffic. The standard port for encrypted HTTP traffic is 443.

superbalist-form-request-general

Figure 5. Chrome Developer Tools connection info for Superbalist login form

So if my observations are correct, Superbalist are not encrypting their customer’s login data. I would be more than happy to have someone at Superbalist challenge me on this observation.

Let the games begin…

SHARE THIS POST
Standard
Security

Takealot Security Issue

So I decided (this morning) to do some more research on SSL encryption and it’s effect on website security and performance.

I tend to use Takealot.com as my default website for checking security compliance and performance. If any South African website should be up-to-date in regards to international security standards, it should be South Africa’s largest e-commerce retailer, Takealot.

I invite you to click on this link (https://www.takealot.com/) to view the Takealot home page over an encrypted connection.

If you’re using Firefox, you should be presented with a screen looking something like this:

takealot-ssl-error

Not only has the SSL certificate expired (June 13th, 2015), it is only valid for the “www.kalahari.com” domain.

To be fair, the Takealot login link on the home page redirects to https://secure.takealot.com/ which does have a valid SSL certificate. This does not help people like me who would like to browse the website over a secure connection without being signed in.

This may not be a security catastrophe, but it’s an unnecessary blemish on what is most likely a secure shopping platform.

If you have a connection with someone at Takealot, why not send them to this post – maybe they’ll do something about it. 😛

SHARE THIS POST
Standard
Web Performance

What Google Really Thinks About the Performance of South African Websites

In my quest to do my part in making the South African web faster, I decided to analyse some of my favourite South African websites to see if I could improve them in any way. As a big fan of Google, I decided to use their PageSpeed Insights tool to see what Google thought of the performance of these websites. If you are unfamiliar with Google PageSpeed, it’s a web-based service that analyses a web page (from the perspective of a desktop computer and a mobile phone) and gives it a score out of a hundred. The higher the score, the better. A score below 85 would suggest the web page is in need of optimisation. So with that said, here’s my list of South African websites with their respective scores:

WEBSITE DESKTOP MOBILE AVERAGE
Gumtree 87 80 84
Takealot 85 66 76
Orange 76 72 74
TechCentral 79 68 74
Kalahari 69 76 73
MyBroadband 54 74 64
BandwidthBlog 62 62 62
Gadget 64 54 59
News24 35 76 56
IOL 47 35 41

Some interesting stats that came out of this analysis:

  1. 70% of the websites had no caching of all/some of its resources.
  2. 40% of the websites had no compression on all/some of its resources.
  3. 60% of the websites had poorly optimised images.
  4. All the websites had scripts and style sheets that blocked the rendering of the page.

These figures suggest that website performance is not a priority for the owners of these websites. Ironically, the worst performing websites in my list (News24, IOL) are also the websites with the most visitors.

I’ve tried emailing some of these companies to see if they’d be willing for me to work with them to improve their websites, for free, yet I have not received a single response.

If you’d like to help me in my quest to make the South African web faster, please share this post (and my blog) with your colleagues and friends so we can bring about more awareness of the inefficiencies that exist within the South African web.

SHARE THIS POST
Standard
Web Performance

How To Improve Website Speed: Caching

Question: What is the fastest request a web browser can make?

Answer: One that doesn’t need to be made.

Picture yourself coming home late from work – you’re starving, you’re thirsty, you need food. You arrive home and immediately make your way to the fridge. You open the fridge door and see that every shelf and container is empty. In frustration you grab your car keys and head out to the nearest shopping mall to fetch some groceries.

In this analogy the fridge is like your web browser; it stores content. The containers within it are like the cache within your web browser. A cache is simply an area to place content so that it can be accessed more quickly. In this context it is keeping the content closer to the user. You shouldn’t have to make the journey to the food store (destination web server) every time you want some food (web content). You should be able to store some of the food in your fridge so that you don’t have to go out so often. Caching is what enables you to avoid making costly journeys over the Internet to retrieve web content like images, style sheets, and JavaScript files. By storing some of the content within the browser cache, less data needs to be transferred resulting in improved page load times and lower bandwidth costs for both the user and the website owner.

If you’re a website owner, you should check if caching has been enabled on your web server. If it is enabled, make sure expiration periods have been declared for your page resources. The expiration period will inform the web browser when to ask for a fresh copy of the resource. The expiration date is relative to when the first request was made, so although the expiration period will be the same for all users, the specific date a resource expires may be different for each user.

Sample Apache config to enable caching with 1 month expiration period:

<IfModule mod_expires.c>
   ExpiresActive On
   ExpiresDefault "access plus 1 month" 
</IfModule>

This config can be placed within the .htaccess file within the root of your website directory.

Sample Nginx config to enable caching with 1 month expiration period:

location / {
   expires 30d;
}

This config can be placed within the “server” block of your Nginx configuration file (the default is “nginx.conf”).

To keep things simple, I’ve avoided the topic of public caches on the Internet. If you would like to learn more about Apache or Nginx caching configurations and how to control public caches (using Cache-Control headers), visit these Apache and Nginx web pages.

SHARE THIS POST
Standard
Web Performance

The Real Cost of Poor Website Performance

It has been my experience that website owners have little understanding of how website performance affects the bottom line. In light of this, I’ve pieced together a few infographics from Strangeloop Networks to illustrate some important findings regarding page load times:

Cost of Web Performance Infographic

It is incredible to see how page load times can affect revenue and traffic. Here’s a table of some of the results listed by the companies mentioned in the infographics:

COMPANY IMPROVEMENT RESULT
Amazon 100ms Increased revenue by 1%
Mozilla 2.2 seconds 60 million more Firefox downloads per year
Shopzilla 4.8 seconds Increased revenue by 12%, page views by 25%
Yahoo 400ms Increased traffic by 9%

These numbers might not look like much, but if you’re a multi-million Rand e-commerce website owner, you may want to think again about your web performance budget! Even if you’re only running a small non-profit website, the increased traffic may be what you need to get more exposure and support.

SHARE THIS POST
Standard