Firefox Security Settings Break CSTV-Hosted Websites

Post of Spain, Trinidad and Tobago (July 24, 2004) - Firefox, in addition to being a pleasure to work with for the most part, has shown an unexpected benefit. It can totally dismember a web site and show the vulnerabilities posed by not adhering to web standards. It can also expose the challenges web surfers face when deciding when to turn security settings on or off. The site I will use for this case study is the University of Georgia Athletic Association Web Site, though what I will discuss here will apply to any web site designed and hosted by the College Sports Television (they acquired Online College Sports Network (OCSN)), and many other sites as well.

Time for the disclaimer here: I have nothing but the utmost respect for the UGA Sports Communication Staff. The staff is led by
Claude Felton, who in all my 23 years of working in college and professional sporting events for CBS Sports, ESPN and others, is unsurpassed as a professional and human being. His staff has faced a number of tough challenges the past few years. These challenges include the Jim Harrick fiasco, including the now infamous final exam, and the forced retirement of coaching legend Vince Dooley after 40 years of service (a case study on the lack of sound business controls in and of itself)..

I chose this site for the case study because it showed the most dramatic impact from the security settings used. That being said, I have never liked their web site. Blaring red background colours, bad fonts, ads everywhere (including the use of flash animation and DHTML to bypass pop-up blockers much like CNN, the Weather Channel, and ESPN), and navigation that used to make my head swirl. For a while there was no privacy statement or disclosure statement, even though the site and its advertisers liked to plant cookies right and left. Of course, I never had much reason to visit the site as I am NOT an UGA Alumnus, and still think they don't play football in the south like they do in the Big Ten (no flames here, bit I did go to The Ohio State University:-)). But I have been visiting the site lately as I have been following the 'changing of the guard' as new athletics director Damon Evans has struck quickly, reorganizing the organization and firing many senior long time employees.

So last night I fired up Firefox and went to the site. My security settings are displayed in
this screenshot.

The impact on the UGA Web site was staggering. Not only did this remove all of the ads from the site, including the Flash/DHTML, but it removed all of the navigation as well (see side by side images below).

Now you might think so what? Well this poses a business risk for the UGA Athletic Association or any other web site configured and architected the same way. Firefox allows you to add exceptions on an all or nothing basis and most rabid UGA Fans would likely turn of the block for the site(s), but what about those who don't? This is where the risk associated with the vulnerabilities arises.

Vulnerability # 1 - Ads do not get displayed

Associated Risk: Lost Advertising Revenue


Sites such as these depend a great deal on advertising revenue. But this presupposes the ads are getting the eyeballs of the visitors. The current architecture does not allow for this if (and a big if here) people are actually listening to security advisories and locking things down.

Vulnerability # 2: Loss of navigation

Associated Risk: Loss of visitors


Because the designers of the site chose to go with an almost totally image based navigation taxonomy AND stored the images on another server, I lost all navigation. This could easily drive many users away.

Vulnerability # 3: Poor Design Structure/Use of Graphic Navigation

Associated Risk: Loss of goodwill/reputation


Because of the design architecture, it was impossible to run a 'Bobby' test of compliance with W3C and Section 508(c)(3) accessibility guidelines standards, but with the site being gutted the way it was, it became easy to see the problems. When I browse from home, I turn off images because of very, very low connection speed. The design of this site did not include any "alt" tags or image sizing, so it is impossible to know what the missing images are. For people with disabilities, the site becomes impossible to navigate. If these people are large spenders or big donors, there is the potential of not only lost revenue as described above, but lost goodwill as well (And yes, this blog template suffers from that as well, but this is being changed bit by bit).

Vulnerability # 4: Inadequate privacy policy

Associated Risk: Legal exposure


If a web site says that it is going to protect personal information and it does not, there is the risk of legal action and/or financial loss. Tower Records got spanked very hard by the Federal Trade Commission for not adhering to their own policy and conducting on-going assessments of what they promised.


Vulnerability # 5: Acquisition of OCSN by CSTV
Associated Risk: Business Continuity


The root cause of the problem seems to be the direct result of this acquisition and the lack of a clear migration path by CSTV when they completed the acquisition. This results in a potential business continuity risk for the University of Georgia.

How Could Sound Business Controls Help?


This case study is one where sound business controls and practices would be of help to the organization

1. If not in place, a business case for the web site should be developed, prioritizing business objectives and establishing criteria for the measurement of success for these objectives. This web site should be evaluated against this case and the objectives on a scheduled basis. Additions to the web site should require a business case and should not be added unless it is clear that there is a business need and that utilizing resources to add functionality (either in person-hours or dollars) does not take away from other areas that are business critical.

2. Business controls should be addressed at all stages of the web site life cycle. This is not something that should be done by the web developers, mainly because they may or may not be experienced in this area.

2. If the web site is being developed and hosted by a 3rd party, independent reviews/audits should be conducted to ensure that privacy policies are indeed being implemented as stated and that individual privacy is being protected. In the case of UGA, they were giving away free e-mail addresses without the presence of a clear privacy policy and to this date, there is no audit statement in the posted privacy policy. An organizations risks legal action and sanctions if the information is not protected as stated.


3. If an organization has outsourced any part of its operations, it should ensure that there is a business continuiy plan in place at both the vendor and internally. In the case of an acquisition of an outside vendor, all service level agreements and migration plans should be reviewed with the new vendor to ensure that business objectives continue to be met.

4. A web site should be reviewed at least annually to ensure that it is performing as expected and that the business objectives of the site are being met.

5. The architecture of the site should be revisited. Visitors to the site should not be faced with the choice of losing navigation/functionality or giving up their privacy.

Not necessarily related to this vulnerabilities discussed above, but a serious vulnerability and mistake that many web sites make is including employee e-mail addresses on a web site. This is a clear invitation to SPAM. E-Mail addresses should NEVER be included on a site. Organizations should include a form-based element to submit email to people based on their name or role. There is no reason at all to add additional vulnerabilities and cost to your operations. Enough said on this topic!

Post a Comment

0 Comments

Comments