After spending a weekend at a (really frackin’ cool) hacker con, and while setting up some bookmarks on my laptop, I decided to make all my login links point to https pages — because when you’re on an open wireless network, all your traffic is being sniffed by at least one person.
It’s well known that TradeMe store your password in a plaintext cookie in your browser, but that’s OK (?) because your box has to be owned before that matters. However, people sniffing network traffic shouldn’t be able to sniff your password. And given that most people use wireless now, the likelihood of this is pretty high. So I tried to change that http://www.trademe.co.nz to https://www.trademe.co.nz. Should be a simple thing — one extra character on your URL ensures all your requests are encrypted.
OK, so I hit their site with https, and my browser tells me there’s something funny about the certificate. Really? Were they too cheap to get it signed by a known Certificate Authority? I mean it’s a few hundred bucks a year, but this was a company that was purchased by Fairfax for seven hundred fucking million dollars. Plus an extra $50 million if they met certain targets over the next two years, which apparently they did.
Right, so they can afford a cert.
I pull the cert up to have a look at it and find something a bit more innocent. It was registered with a proper CA, but they registered secure.trademe.co.nz and www.secure.trademe.co.nz (the latter of which, incidentally, doesn’t even resolve in DNS). But, no problems, I plug https://secure.trademe.co.nz expecting to get to a secure login page. Guess what? It just automatically redirects to http://www.trademe.co.nz. WTF? I tried appending /Members/Login.aspx at the end of that secure URL and I still get redirected. Try it yourself: https://secure.trademe.co.nz/Members/Login.aspx
Thanks TradeMe, I can’t use your site while I’m on a wireless network.
If anyone from TradeMe ever reads this, why did you buy a certificate if it isn’t being used? And why can’t I log in via SSL? This isn’t complicated shit (nor expensive) we’re talking about. I’d offer to fix it for you guys, but you couldn’t pay me enough to touch a Windows server. Actually maybe Fairfax could.
