For the love of all things holy, I cannot believe this company. 5 days compensation is better than nothing, but when you consider it was a full 27 days, it still feels rather stingy. But that’s not what’s got my goat. After reading the initial blurb, there’s a link to an update site which allows you to put in your name and email address.
They’ve not put a valid SSL (or TLS, if you prefer – technically it should be referred to TLS these days, but people are set in their ways) certificate on their site. Which means that any form data transmitted will be sent unencrypted between the user’s browser and the server. This could (unlikely, but still possible) for data being sniffed and captured by a third party.
Another method is by spoofing the southwesternrailway.com domain. I could register a domain such as southwestermrailway.com (as an example) and duplicate the same hostname and the site contents (changing the form details so that anything is sent to me or a file on the server), leaving out the SSL certificate. I could potentially hoover vasts amounts of data as people don’t bother to check the URL or SSL certificate.
In any event, putting an SSL/TLS certificate on your site is vitally important these days, and it’s not difficult to do. I’m still amazed that Bafta.org hasn’t put its entire site behind SSL/TLS (try going to https://www.bafta.org, and it’ll redirect you back to non-SSL content), nor Milk VFX which solicits job applications to submit entries via an unencrypted form. Bad, Milk VFX, bad!