Zit Seng's Blog

A Singaporean's technology and lifestyle blog

NDP Website an Embarrassment

I don’t normally want to criticise websites, but I’ve heard so many complaints about our National Day Parade (NDP) website and I can’t help but agree with them. It’s almost a national embarrassment that a country with such advanced and developed infocommunications capabilities could not find someone better to showcase its most important national event on the Internet.

Screen Shot 2014-05-18 at 8.29.28 am

It’s not even just one aspect where the NDP website is failing. There are problems with security and privacy, design and layout, HTML coding, and more.

Let’s start with security and privacy. It’s one of the biggest thing on the Internet that everyone is concerned about. You see, the ticket balloting submission, in the sub-site http://eballot.ndp.gov.sg/, does not use SSL to encrypt its web communication. They are going to ask people to submit private personal information, but they don’t think to use encryption on their website. Really?

Screen Shot 2014-05-18 at 5.49.09 am

As you can see above, the form data is submitted in a plaintext HTTP POST. Adding SSL is such a simple thing to do, but apparently there was no one on their team with even some basic common sense to think about it.

The personal data comprises full name, telephone number, and NRIC number. Our government frequently talks about Internet security, data protection, and most recently the Personal Data Protection Act (PDPA) which will become fully enforced from 1 July 2014, yet the NDP website doesn’t think about their basic sense of responsibility to protect the transmission of personal data. Sure, sure, I know, the government is excused from the PDPA.

I’m not done with security. Have you heard about SQL injection attacks? Unvalidated input? Well, the fellows behind the NDP website seem to know a little bit about that. They decided to be so paranoid about restricting input that your name, for example, is only permitted to contain alphabets and spaces. So, I’m very sorry, Singaporeans with See-Toh or Aw-Yeong family names, you are not permitted to join the ballot. The same goes for those who chose fancy names like D’Souza. Similarly, Nagaratnam s/o Subramaniam and Rajadarshini d/o Balakrishnan, you can’t be in the running either. Whoever wrote the specs for this app ought to be fired.

The HTML coding of the NDP website is also nothing short of atrocious. Totally embarrassing. 176 errors according to the W3C’s Markup Validation Service.

Screen Shot 2014-05-18 at 9.18.12 amYes, there are no doubt many repeats of the same type of error. But there are plenty of examples showing a complete lack of grasp of basic HTML. Or perhaps a total disregard for writing proper HTML. Whichever way, this says so much about their level of professionalism.

Let’s talk about site design. Oh dear, where do I start. At the top navigation bar, as you mouseover its various links, they become highlighted as you’d expect. However, the drop-down panel is completely the same. It’s the same because the drop-down panel is already populated with all the 2nd level navigation links. Then, in that case, there’s no need for so many individual entries in the top-level navigation eh?

Screen Shot 2014-05-18 at 6.08.06 am

Next, let’s talk about those greyed out links. Sure, I can understand it may be far too early before the actual NDP event, so some of the links may not yet be relevant. For example, they may not be ready to give out traffic information at this time. That’s fine. Then why put the link there at all? There’s no excuse for so many links to be not working. There are a total of 29 links in that drop-down panel, 15 of which are greyed out. That’s more than 50% of the links not working. Please tell me what impression that leaves you.

I’d say this website is a mock up to show how the final product will look like. That’s what a web design firm might do to demonstrate to their client what they propose to build. You don’t go live with such a half-baked website.

It gets worse. On the main page, as you mouseover the big tiles, you’d notice some tiles are clickable (indicated by your mouse pointer). The Photo of the Week, for example, seems to be clickable. Click on it, but nothing happens. Oh yes, that’s right, it’s probably not ready yet. This is a mock up. I’m sorry, let’s not dwell on not-ready things anymore.

Let’s talk about how the information is presented. For example, in the Media Releases page, the link for Theme, Logo & Concept is a ZIP file. The link for Ticket Balloting is a PDF. In fact, this style of just tossing in files, instead of putting proper content on a webpage, seems prevalent in other sections of the NDP website. Another example is the page on the Junior Red Lions, which simply contains a link to a JPEG picture about, well, the Junior Red Lions.

Screen Shot 2014-05-18 at 6.08.39 am

There’s yet another example in the Big-Hearted Family page. There isn’t even an effort to, say, properly lay out the image, again another fault that seems to be repeated in other pages.

If you ask me, this aspect of the NDP website almost seems to be a document repository. Just stash PDFs, ZIPs, and JPEGs in there.

Let’s talk about design again. Can you see the plethora of fonts used on the main page? Usually, you shouldn’t use too many fonts together. The page will simply look very haphazard, lacking consistency, lacking an identifiable style. It’s definitely possible to pull off a design that includes a myriad of carefully selected fonts. Obviously, this NDP website isn’t that.

Moving on, let’s check out the NDP website on a smartphone. Oops. They did not design for mobile. There’s no responsive design, and there’s no mobile site. It’s alright. Maybe they did intend for mobile users to use their prominently featured mobile app. Let’s take a look there. There’s a link to download the Android app. But wait, there’s no iOS app? Wow.

Last, but certainly not the end of it, the NDP website is not on IPv6. IDA has been pushing hard for IPv6 adoption in Singapore. They’ve said last year that 95% of government e-services are IPv6 enabled. It’s probably true. Oh, but not the NDP website. I suppose someone in the organising committee didn’t get the memo about IPv6 adoption.

I know the NDP website is fronted by Akamai, but Akamai does support IPv6. So it is strange that the NDP website would not be served on IPv6. I want to mention Akamai here, because it brings me back to the issue on security and privacy. Yes, the ticket balloting sub-site is also served through Akamai. Would you believe it, your personal data is being sent in plaintext, unencrypted for anyone in-between to see, across the Internet to a Content Delivery Network? What is wrong with the people behind the NDP website?

You see why I’m dismayed with the NDP website. We are a nation that’s strong in ICT capabilities. But we put up such a website for the most important national event. This is an embarrassment.

43 thoughts on “NDP Website an Embarrassment

    1. I think that’s ridiculous that Anonymous should get to know.
      It’s our data out there – our fellow singaporeans?

      Drop a note to the website, i’m pretty sure someone will take a look at it.

  1. I think that’s ridiculous that Anonymous should get to know.
    It’s our data out there – our fellow singaporeans?

    Drop a note to the website, i’m pretty sure someone will take a look at it.

  2. U shld read how Business Times compared SGX website agst our regional rivals, especially Philippines. I have never read such a critical piece by MSM before.
    BT 28 Mar 2014: “How other exchanges present their websites”.
    Wonder what kinda IT consultants our establishment is using….

  3. Have you ever thought that more likely than not, this was done by a lowly-paid NSF who was ‘coerced’ to come up with a ‘professional-looking’ website for the NDP?

    1. Although that is plausible, I believe that is highly unlikely. There is a budget for NDP and they won’t need to coerce any NSFs into this.

    2. Actually NSFs do design the NDP sites at least for 2009/2010… The fmn in-charge often sets up a crack team comprising of NSFs – nothing a few offs cannot do…

  4. The Budget for NDP is very low. NDP relies heavily on Sponsorship and at this point of time, it’s most likely done by an NSF. To be fair, if it was an NSF, it would probably be someone with a polytechnic diploma from a related course. So the skill level would not be comparable on a professional level.

  5. the only flaw in this article post (which I find very well written and enjoyable – thanks) is the claim that Singapore is “well known” to have strong ICT capabilities.

    Singapore does NOT have strong ICT capabilities in software (or networking) – never has, probably never will.
    Hardware? Yes SG used to be great at hardware, has lost much of its skills since collapse of Creative, but has a history and background in it that measures up.

    It is well known that Singaporean software is amidst the worst quality known in the civilized world.
    That Singaporean internet is louded as excellent yet in reality is leaps and bounds worse than neighboring Thailand, Malaysia, Vietnam and Philippines.
    In Software – even SEA countries like Vietnam put SG to absolute shame.

    This of course is well known by everyone else in the real world, though the typical Singaporean view is one opposite.

    This is not the first govt website that “sucks”. They literally all do. The banking software does too – and these are the 2 biggest industries in SG: banking and govt. Yet their software sucks, and they have the best software engineers the country can possibly get.

    This is what the focus of this article should be – the reasons why SG sucks so bad at software.
    But SG still isnt mature enough to admit that to itself so, good articles like this go to waste really, and this problem will just repeat itself over and over, which amazingly S’poreans are so good at forgetting rather quickly…

    1. I strongly agree with this. Singapore lacks greatly in ICT capabilities, look at how our “Army” is using technology… it’s retarded to call it a 3G army.

    2. Management executives of most ICT companies in Singapore generally refuse to admit that we “sucks” at software development. They keep thinking that we are at the leading edge of software development. As a developer, it’s always facepalming everyday when listening to the management level convincing themselves that their product is superior without even doing proper market research.

  6. I strongly agree with this. Singapore lacks greatly in ICT capabilities, look at how our “Army” is using technology… it’s retarded to call it a 3G army.

  7. Actually NSFs do design the NDP sites at least for 2009/2010… The fmn in-charge often sets up a crack team comprising of NSFs – nothing a few offs cannot do…

  8. Good job for detecting this and pointing it out. But did you consider informing the organizers first to take down the site and have it fixed first, before announcing it to the world of its vulnerability? This would be a great service done to protect fellow Singaporeans. Of course, they might have turn around to say it had no issue, but I am sure you would have had the facts captured. Nevertheless, it is good of you to point it out. More should be aware of the cyber threat.

  9. Management executives of most ICT companies in Singapore generally refuse to admit that we “sucks” at software development. They keep thinking that we are at the leading edge of software development. As a developer, it’s always facepalming everyday when listening to the management level convincing themselves that their product is superior without even doing proper market research.

  10. Such a thorough analysis! I believe you would have also offered your expertise to the media team as a service to this country you are so proud of? Otherwise, what’s all the comments about feeling embarrassed for..

  11. So you’re the chap who found out the flaw! Lol. Good job I must say. I also left a comment on your Straits Times post. I think the site is now secure. It’s now https. Credit to you bro!

Leave a Reply

Your email address will not be published. Required fields are marked *

View Comment Policy