South Western Railway announce compensation scheme for December ’19 strikes – forgets to secure update site

For the love of all things holy, I cannot believe this company. 5 days compensation is better than nothing, but when you consider it was a full 27 days, it still feels rather stingy. But that’s not what’s got my goat. After reading the initial blurb, there’s a link to an update site which allows you to put in your name and email address.

ALAS!

They’ve not put a valid SSL (or TLS, if you prefer – technically it should be referred to TLS these days, but people are set in their ways) certificate on their site. Which means that any form data transmitted will be sent unencrypted between the user’s browser and the server. This could (unlikely, but still possible) for data being sniffed and captured by a third party.

Another method is by spoofing the southwesternrailway.com domain. I could register a domain such as southwestermrailway.com (as an example) and duplicate the same hostname and the site contents (changing the form details so that anything is sent to me or a file on the server), leaving out the SSL certificate. I could potentially hoover vasts amounts of data as people don’t bother to check the URL or SSL certificate.

In any event, putting an SSL/TLS certificate on your site is vitally important these days, and it’s not difficult to do. I’m still amazed that Bafta.org hasn’t put its entire site behind SSL/TLS (try going to https://www.bafta.org, and it’ll redirect you back to non-SSL content), nor Milk VFX which solicits job applications to submit entries via an unencrypted form. Bad, Milk VFX, bad!

Update: Looks like they’re using external Salesforce CRM to capture the information. The Javascript form code is hosted securely – thank goodness – and it looks like the form data is also submitted securely to Salesforce servers. Even so – I’d still be pretty weary about any site without a proper SSL certificate and encrypted traffic between the browser and server, and not everybody is going to want to scour the page’s source code to determine what’s going on.