Eyes Above The Waves

Last week I noticed that the new Tollroad Web site was not using SSL, so user account details such as PINs and credit card numbers are transmitted in the clear, vulnerable to being intercepted by third parties. I sent an email to the contact address and got a stock reply; then I followed up again and got a less-stock reply that they'd "look into it". In today's Herald there's a story about the same issue.

Let's be clear: Brett Dooley is completely wrong. The site is insecure. They do not need to "reassure" the public, they need to fix the site. If it's true that "all the banks set up for website transactions had "verified and certified all our banking arrangements"". then either the "banking arrangements" excluded the site's form submission system, or the banks are fools.

It's very annoying that the Herald article presents it as a "he said, she said" difference of opinion from which no conclusions can be drawn --- presumably in some desire for "balance". The reporter could have and should have called out Dooley on his false statements.

What's especially bad is that incidents like this undermine the security of the entire Internet. Whenever people are told that it's OK to transmit sensitive information like credit card numbers through an insecure channel without the "browser lock", they're being trained to respond positively to phishers and other attacks on SSL site verification.

This is an unfortunate blunder, because everything else about the Puhoi toll road project seems extremely well done. Instead of requiring some kind of transponder device in cars, they just take photos of your license plate and charge your account automatically. If you don't have an account you can use your cellphone to pay the charge up to three days after passing through, or you can visit a kiosk (away from the toll area itself) and pay cash. Overall it's a nice fully automated, low overhead solution.

Update Looks like the Tollroad people have seen reason.