Raising awareness about basic web security

Disclaimer: I am not a certified or experienced security expert but the issues raised in this entry has been repeated many times by many other security experts and are so easy to solve. Yet these problems constantly resurfaced.

Over the past ten years, our lives have increasingly move to the web. Unless you are a complete computer illiterate, lived in an extremely rural area and has no internet access, chances are you would have used computers and did some stuff online.

With that, security of any website that collect user information, including password, is of utmost important. At the minimum, sites that need user to login with some kind of username and password should use HTTPS throughout. Even HTTPS is not perfect. There should be additional security mechanism in place such as encrypting username and password even before you hit your web server.

I’m not going to claim that I am a security expert but there are just some things that irks me when it comes to the implementation of web security by some local sites.

So let’s take a look at some exhibits.

Exhibit A: VR-Zone

VR-Zone is one of the more popular tech site that comes with a forum. I stopped using the site ever since I noticed that they don’t implement HTTPS at all for their forums.

And to think that the login page is just a div modal on the forums. It’s obvious when you mouseover the login button, it shows at the bottom of the page.

So after you clicked it, the login dialog pops up.

Now let’s take a look at the source for the dialog box. Let’s see the section I’ve highlighted.

I’m confused. Is it because the password is md5-hashed onsubmit that the site owner thought HTTPS isn’t necessary? Even so, MD5 hash is obsolete in this day and age. I can just use any off-the-shell CPU and brute force the password once I have sniffed the traffic between the browser and the server. Without HTTPS make all that so much more easier.

Now let’s assume that the site owner wakes up and decides the whole site should use HTTPS.

But the protocol for the form action is hardcoded to use HTTP instead of using relative path. Using relative path would have automatically ensure the form submission use whatever the original protocol is.

Put it this way, humans make mistakes and are near sighted. Therefore, there is a chance that people forget to clean up their codes or that the site owner don’t give a shit. Besides, not all web developers are good at their job. And when they are rushing to meet deadline, security isn’t even one of the priorities. Then combine the fact Singapore is particularly famous for outsourcing instead of getting the right people for the job… See where I’m going with this?

I don’t even know how the site owner store user credentials or data. Since the “security” of the site is almost non-existent, I doubt the security of the backend components. Also, VBulletin is well-known for having a fairly long list of security issues. Some of my personal data had been leaked in the past as part of data breaches of forums that uses VBulletin. Here you can see the amount of security flaws or bugs found with the software.

I also found at least one feedback about this HTTP/HTTPS issue in the forum itself. So I’m not the only one.

Login Information under http not https

Since the post was made in April and there has been no response from the site owner. It looks like the security of user data is not the main concern. Also, I’m assuming the site is hosted in Singapore. If that’s the case, they could, and I mean could, be in breach of the Personal Data Protection Act.

Exhibit A: Hardware Zone

Hardware Zone is owned by Singapore Press Holding. I am expecting the security to be better than most sites hosted in Singapore.

The main page does not use HTTPS.

The forum does not use HTTPS.

When you hover your mouse over the login icon.

This is what you get. You will be redirected to a HTTPS page to do login.

Since the main site is not protected by HTTPS, it would be relatively easy to modify the page content before it is send to your browser. Some malicious person may just decide to change the login URL and present you a lookalike login form. You enter your login credentials and that’s it. Considering that Hardware Zone does collect personal information such as your age, address, name and many more, if hackers do manage to get your login credential stolen, well, it means problem for you.

The login form itself is protected by HTTPS.

Let’s look at the source code.

At least they used relative path for the form action. Looks like the MD5 hashing is a default thing for VBulletin. But still, MD5? It’s time to seriously look into SHA-256 or SHA-512.

After you login however, you are redirected back to HTTP again. Even when you access your user profile, it’s on HTTP too. This is like a half-hearted attempt to do HTTPS. Shame on you SPH.

Thoughts about Microsoft Build 2017

Well, I’m late to the party. Other news sites, bloggers, and vloggers have all covered it. They have their own thoughts about it. I’m going to do my own take on it, on only features that I’m interested in

For those who don’t already know, Microsoft held an event in Seattle between May 10 to 12, 2017 that introduced to the world a whole bunch of new things for Windows 10 that we all should be excited about — by that I mean techies.

To summarize, during the event, Microsoft pointed out several trends that’s going on that most of us already know: the rise of IOT devices, Artificial Intelligence, Serverless Architecture. They also talked about what they are doing regarding those trends. They are digging in deeper, delivering better solutions or services that customers need.

I’m more interested in their new Fluent Design. User experience and graphics is important to me (though I can’t really draw very well). Microsoft has attempted over the past decade to deliver a nice interface. They introduced Aero with Windows Vista, which was a massive flop. It was slow and sluggish. I’ve personally used it and don’t really like it. Then came Windows 7 and they improved Aero. It was much snappier and still look great.

Then came Windows 8 where they introduced what was known then as Metro design, subsequently known as Modern UI and then Microsoft Design Language. I personally liked it more than the pseudo-3D of Aero in Windows 7 because it is simplistic and minimalistic. It was improved Windows 8.1 and then in Windows 10.

However, the biggest gripe about Microsoft’s Windows was that the user interface isn’t consistent. There are some glaring defects that any good user interface designer should pick up on and fix it. Then, there is the fact that there are thousands if not millions of applications that runs on it. Many of which are legacy application and their user interface hasn’t been updated in ages. On the other hand, the web user interfaces have gotten so much better though every webpage is starting to look like each other due to the extensive use of common frameworks like bootstrap.

With Fluent Design, Microsoft aim to make Windows look great. As a design language, there are five main features:
1. Light
2. Depth
3. Motion
4. Material
5. Scale

You can read more about the Fluent Design System here.

When you combine all five of them properly in your application, the experience the user get will be so much better, richer and immerse them. This design language is in part, I believe due to the increase use and popularity of mixed-reality devices.

As someone who has been using Apple for more than year and already buy into the ecosystem, I’m somewhat excited to see how future applications made for Microsoft Windows will look like and how it will affect the way we as users interact with our devices. My concern was that, there is always the issue where the third-party developers do not ensure their app is consistent with the overall look and feel of the Windows running on the user’s computer.

Right now, the Fluent Design System is implemented in a somewhat beta form with the insiders build of Windows 10. If you are interested, you can download that and try it. Until it is released fully and used by many of the applications in Windows, I will stick with the experience I’m getting from Apple’s ecosystem.