Echobit

I recently had to register myself at the Danish Consulate in New York since I’ve relocated to the US. The registration page asked for various information such as name, address, phone number, e-mail address, and addresses of relatives. It also asked for my passport information, although that was optional.

Most people probably wouldn’t have noticed, but as a security-conscious IT professional I immediately saw that the registration page wasn’t encrypted with SSL. This, in my opinion, is particularly bad practice for a government-controlled website that expects its users to enter confidential information — and we’re not “just” talking credit card information here.

Since I had to complete the form, I reluctantly filled out the remaining fields and hit Submit. I was redirected to a confirmation page, which told me that a confirmation e-mail had be been sent to me to verify the e-mail address I had entered.

Fair enough. That’s standard practice these days.

A couple of minutes later the confirmation e-mail arrived. I was horrified to learn, however, that all the information I had entered on the registration page had been reprinted in the e-mail — even my passport information.

That did it. I immediately fired off an e-mail to the Consulate trying to voice my concerns about the security of the site. I was fortunate enough to have a contact at the Consulate from a previous correspondence, and when I told her about my experiences she was kind enough to forward my e-mail to the person responsible.

I received a response within an hour (what a pleasant surprise) and it turns out the site was supposed to be SSL encrypted, but for some reason the main page was linking to the wrong version of the page. This just illustrates how easily things can go wrong, even if it was done with the best intentions.

The confirmation e-mail was deliberate, though, and the government official assured me that they’d address the (obvious) security issue in an upcoming large-scale redesign of the site in January.

I’m very pleased that the Consulate responded so quickly to my concerns. I think it happens way too often that sites remain broken and unsafe for long periods of time even though the security holes are known to the maintainers.

Kudos to the Consulate!