NDP 2015 Website Security

DSC00957Last year, I cooked up a storm over my comments on the NDP website. My intent was to lament the embarrassing presentation of the NDP website. Security was just one aspect, but it caught on and went viral. This year, I’m glad to see some improvements in the NDP website. Not perfect, but much better than before.

Let’s just start with the security bit first. That’s probably the most exciting part of it. Yes, they have SSL, or HTTPS, setup now, at least for the ticketing portion of the website that asks you to enter your personal information. It’s a little disappointing that they didn’t get SSL setup for the entire website. The SSL certificate for https://ticketing.ndp.org.sg/, after all, is certified for the entire *.ndp.org.sg domain.

[Aside: I know, https://www.ndp.org.sg/ does answer to HTTPS requests, but it returns a redirect to http://www.ndp.org.sg/. Since they already have the certificate, they already have a front-end listener, and in the interest of promoting better security, why not just use HTTPS for everything? But alright, perhaps I’m looking too far ahead. So many other websites aren’t bothering to implement HTTPS on such wide scale yet.]

Is their HTTPS setup any good? Unfortunately, not quite. According to SSL Labs’ report:

ndpssl-shadow

It’s fronted by Akamai. Alright, blame Akamai.

The bigger issue is that the captcha used on their ticket balloting page is so kiddish, a free online OCR can instantly decipher the code. So what is the NDP website developers thinking? There are so many captcha systems out there, I wonder why they had to go with such a kiddish one.

ndpcaptcha-shadow

Of course, there’s no risk of personal data being lost due to this kiddish captcha. The captcha is supposed to defeat automated form submissions, and to some extent, it will be sufficient to deter casual script kiddies. On the other hand, it’s not like it’s so difficult to put a proper captcha system in place.

Also, notice how error handling on the ticketing form is done. Go ahead and try it. Look at how errors are returned to you in a Web 1.0 era kind of app.

On the positive side, I’m really pleased to see the NDP website now operating on IPv6, and it is also mobile-friendly. Furthermore, the website HTML code is much more standards compliant than before. These have been some of my peeves with many websites of late.

This year’s NDP website isn’t quite the best example of a modern web property, but it has made significant improvements from last year’s. Good that they’re paying attention to these details.

Leave a Reply

Your email address will not be published. Required fields are marked *