I have the “pleasure” of interacting with a software for a US state that was contracted out to a third party. The third party vendor is not known for high caliber software, but what found recently while digging around their web application really made me cringe.
When you first login to the application, a little modal pops up and alerts you to the fact that it is connecting to secure servers.
I noticed after the redirect, I ended up in a non-ssl web application. I mean, literally, no SSL ANYWHERE. Every piece of information posted back and forth to the web application is done in PLAIN TEXT across the magical internet pipes.
This piqued my interest, and led me to dig around the HTML/JS that was loading during that modal.
To my surprise, NOTHING was being done at all! This piece of code literally LIES to its users, suggesting that it is going into secure channels.
Knowing the state paid over $1,000,000 for this web application makes me sick to my stomach. The system has been plagues with issues since launch, (as most web applications do), but this really is going above and beyond. Seeing the commented “alert” let’s me know someone was debugging this thing at some point. What was the time spent to write this code (essentially misleading users about security) vs the time it would have taken to install an actual SSL certificate?!