Security is more that just https – signon.se just missed me as a customer

A few weeks ago “Thirst”, the newest book by Jo Nesbø, was released in Swedish. (It will be realeased in English tomorrow.) I wanted to buy it and found that one of the best prices was offered by www.signon.se.

By the way, if it wasn’t for a direct link from pricerunner.se, I’d never found the book on their site, since their internal search logic is really bad. They state that you can search on title, author, publisher, etc., but in reality you can only search for any single one of these arguments. And you must get a 100% match. Try typing “Jo Nesbø” without Norwegian or Danish keyboard layout!

So I added the book to my order and went to check-out. First I would had to register. And this is were things went awkward. Obviously, the site uses https, so the communication between my browser and their server is encrypted. But what do they do with my data?

Firstly: The password I created for this website was e-mailed back to me! To me, this an obvious signal that their whole thinking around security is flawed. It’s quite possible that they store my password in clear in their database, which is insecure practice. Almost all current frameworks know to instead store hash values that are created using individual salt strings and cryptography, and never ever send e-mails with the password in clear. The industry practice is to only send one-time nonce-values upon request that then are used to allow password to be reset if lost or forgotten.

Secondly: The account was immediately activated without any verification of my e-mail address. With a simple script you could start stuffing their database with fake accounts and even have them automatically send out confirmation emails as spam, possibly with insulting passwords written in clear!

Next, I went to the beautiful check-out page, which proudly shows off a DIBS logo. Would I trust DIBS with my credit card details? Yes, they’re OK. But would I trust signon.se with my details? No, not really. So I had a quick look at the code behind the page. The form was programmed to deliver my credit card details to their own server. That helped me make my final decision.

End of story: I decided to pay about one euro more, but to a different vendor.

Leave a Reply

Your email address will not be published.

twenty − 17 =