Jump to content
Sign in to follow this  
MaxiTrading

Please fix your badly coded AJAX handler

Recommended Posts

RISadler
This site works for me.
Good for you! I cannot access my seller's page, with the following results: I sold an item for R1850 on Tuesday ... cannot contact buyer to conclude transaction; another buyer placed a bid that didn't meet the reserve price ... cannot now make a "personal offer" to him for R5500 on said item. I showed MacMuffers what is the cause of this dilemma and I quote his response: "Otherwise have a good break over Easter." But yeah, BoB site is 100% A-OK.

Share this post


Link to post
Share on other sites
voldermort
We = sellers on Bidorbuy. I'm not sure what business you know that is beholden to nobody. Every successful business, small and large, is beholden to both the shareholders and its clients. Fin. But this conversation has gone off track long enough - unless you have a point to raise around how the login servlet really should forward to the original referrer without modifying the connection type, please refrain from commenting. Y'all are welcome to start a new forum post about how much you disagree with me and my "attitude".

 

only 7 posts to your name on this forum and I have passed douchebag, telling people to bugger off and mind their own business, telling people to refrain from commenting.............this is a public forum meaning anybody & everybody is free to comment whether or not they agree with you, also means just about anybody is able to view your serious lack of manners. in your own words - shocking, absolutely bloody shocking.

Share this post


Link to post
Share on other sites
MaxiTrading
only 7 posts to your name on this forum and I have passed douchebag, telling people to bugger off and mind their own business, telling people to refrain from commenting.............this is a public forum meaning anybody & everybody is free to comment whether or not they agree with you, also means just about anybody is able to view your serious lack of manners. in your own words - shocking, absolutely bloody shocking.

 

So if I had 700 posts it would be fine? This is a product specific forum - I have had no reason, need, or interest to post here prior to this.

 

My lack of manners, as you view it, is a reaction to a deflection and an attack by BidorBuy staff that can't take responsibility for their failure. Had the site worked properly in the first place, I would not be here. Had they acknowledged the slimmest possibility of error, we could have resolved this quickly. Moaning about how I posted my "security concerns" on social media, accusing me of accessing the AJAX handler out of the context of the page, and assuming that I was switching the page to HTTPS is a pretty ballsy move, considering all of that was untrue.

Share this post


Link to post
Share on other sites
Jongleur

Defining we as the sellers on Bidorbuy clarifies your viewpoints. All that is

required now is to get them to agree with you. This will include the likes of

geewhizz and many others who have an impeccable ratings record. Bonne chance.

As for your login issues - Computers 101 at a reputable institution ?

Share this post


Link to post
Share on other sites
MaxiTrading
Defining we as the sellers on Bidorbuy clarifies your viewpoints. All that is

required now is to get them to agree with you. This will include the likes of

geewhizz and many others who have an impeccable ratings record. Bonne chance.

As for your login issues - Computers 101 at a reputable institution ?

 

Just to clarify - I don't have login issues per se. The problem is that the login page enforces HTTPS after login when it redirects you to your final destination (the Sales page in this instance) when the final page should enforce its own connection security (or lack thereof) and redirect accordingly.

Share this post


Link to post
Share on other sites
voldermort
Just to clarify - I don't have login issues per se. The problem is that the login page enforces HTTPS after login when it redirects you to your final destination (the Sales page in this instance) when the final page should enforce its own connection security (or lack thereof) and redirect accordingly.

 

I'm going to say here that to my way of thinking the so called "douchebag"& all his "douchebag" helpers will probably get back to you sometime next week, of course if you had bn just a tad more polite or if you had decided to private message any one of these helpers & let off steam privately, they would most probably have helped you with your request already but things been what they are I suspect that there isn't a person on earth who actually likes been insulted, especially when it is that person who needs to help you out.

Share this post


Link to post
Share on other sites
RISadler
...
Maybe he did, and they didn't respond. Or did, and called him rude things first.

Share this post


Link to post
Share on other sites
RISadler
As for your login issues - Computers 101 at a reputable institution ?
"Hallo Pot, my name is Kettle."

Share this post


Link to post
Share on other sites
MaxiTrading
I'm going to say here that to my way of thinking the so called "douchebag"& all his "douchebag" helpers will probably get back to you sometime next week, of course if you had bn just a tad more polite or if you had decided to private message any one of these helpers & let off steam privately, they would most probably have helped you with your request already but things been what they are I suspect that there isn't a person on earth who actually likes been insulted, especially when it is that person who needs to help you out.

 

Well, after their initial response indicated that they don't serve backend pages over HTTPS because they don't contain any sensitive information (like all of our purchaser's names, phone numbers, email addresses, and physical addresses) the solution is to disregard the redirect from the login HTTP POST response and then access the page on regular HTTP. So this is no longer a problem that is preventing me from working, as there is what effectively amounts to a workaround. They are welcome to take months to respond and/or fix this - it will only infuriate and upset other sellers who are not as tech savvy. C'est la vie.

Share this post


Link to post
Share on other sites
voldermort
Maybe he did, and they didn't respond. Or did, and called him rude things first.

 

First point is possible because they are not on the forum 24/7.........second point - all I can say is that I have had to phone, email and/or private message these guys many times, sometimes late in the evening and not once have I ever had one of them being anything other than helpful & polite. In fact if one of them were to tell me I am a bloody fool idiot I think I would fall off my chair laughing simply because it would be so out of character for any one of them.

Share this post


Link to post
Share on other sites
Little Miss Muffet
First point is possible because they are not on the forum 24/7.........second point - all I can say is that I have had to phone, email and/or private message these guys many times, sometimes late in the evening and not once have I ever had one of them being anything other than helpful & polite. In fact if one of them were to tell me I am a bloody fool idiot I think I would fall off my chair laughing simply because it would be so out of character for any one of them.

 

 

I very much doubt they would be rude Mmmm!! Unless a scabie was bugging them:laugh::laugh:

Edited by geewhizz

Share this post


Link to post
Share on other sites
MaxiTrading

:suspicious:

Share this post


Link to post
Share on other sites
Little Miss Muffet

On a more serious note MaxiTrading. I get the impression that anyone can see who your customers are.

Does this make a differance to you? Do they steal your customers.? Just trying to figure out why you are so upset.

I sometimes sell an item then get an email from "who knows who" with similar wording.

Am I correct in saying this is a security breach? Does Bob get kickbacks for this? .Just trying to understand the system.

It seems our security is breached on Google,facebook and the likes. Even Twitter had security problems recently

It has often occurred to me whether Bob can read my emails.It does not bother me because I have nothing to hide.

Seriously explain yourself to this old ignorant duck and forget the computer phrases like http

Share this post


Link to post
Share on other sites
MaxiTrading
On a more serious note MaxiTrading. I get the impression that anyone can see who your customers are.

Does this make a differance to you? Do they steal your customers.? Just trying to figure out why you are so upset.

I sometimes sell an item then get an email from "who knows who" with similar wording.

Am I correct in saying this is a security breach? Does Bob get kickbacks for this? .Just trying to understand the system.

It seems our security is breached on Google,facebook and the likes. Even Twitter had security problems recently

It has often occurred to me whether Bob can read my emails.It does not bother me because I have nothing to hide.

Seriously explain yourself to this old ignorant duck and forget the computer phrases like http

 

Well, personally I don't have a huge concern about the sales page being served unprotected, but it can definitely lead to a serious breach of information. Lemme first explain why SSL is important first. SSL encrypts the communication between your PC and the web server. Now in certain situations, even when there is sensitive data flowing between your computer and the web server, there is very little a malicious attacker could do to sniff that traffic.

 

But there are situations where that data could be exposed. For example: if you are accessing the sales page on a public wifi connection (that doesn't have isolation on) or you are using the Internet on a company network then anyone using the same wifi connection or network can sniff your traffic. I'm not going to go into the details as to how they can do this (eg. ARP cache poisoning and routing traffic through their machine, passive sniffing, DHCP hijacking, etc), but suffice it to say that the tools to do so have become REALLY easy to use and are significantly widely deployed. There is also a risk that at some point upstream in your connection, at your ISP for example or at the Internet Solutions data center BidorBuy uses, an attacker could use a compromised server to perform similar attacks against a wide number of connections. They would then be able to grab the contents of the sales page as it is accessed by many, many sellers.

 

Assuming they grab the content of the sales page as you access it, what is the risk? Well, the obvious one is the leak of critical user information. Leaking email addresses is normally a pretty big deal because it opens those users up to spam and phishing attacks. Exposing their full name, email address, username, phone numbers, and physical or postal address is even more concerning. The reason for this is that it makes identity theft a reasonable possibility - the attacker already has 80% of the information they need to impersonate any one of the people that have purchased from you. It is important to understand that the people that are at risk are the buyers that have purchased from you and not you.

 

To veer off a little to the technical: they have asserted that they don't serve certain pages with thumbnails over HTTPS, presumably as all static objects (images, CSS, JS) needs to also be served over HTTPS. As backend pages are unique to a seller and their content is dynamic, there is little to no advantage to server-side caching of these pages (either through Varnish, fastcgi_cache, UltraCache were they using PHP , or similar). Thus, assuming there are 30-40 static objects served alongside such a page, the worst-case scenario is that a client requests all of those from the server (this would be in a situation where it's a first-time load and there is no client-side caching on the static objects). HTTPS is particularly performance heavy - and as BidorBuy is using Apache (seemingly without Varnish in front of it) they are paying an added performance penalty. They could mitigate this, and still serve this page over HTTPS, by switching from Apache to nginx (if nginx doesn't support their JSP layer they could always reverse-proxy to Apache for page content and let nginx serve static objects) and favouring non-elliptic-curve ciphers that can be accelerated by AES-NI on higher-end Intel processors. Specifically, they would set their SSL ciphers to something like RC4:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH; to favour RC4 over ECDHE. They could also hand-off the SSL handling if they implenented a director, with multiple app servers behind, in a Direct Routing architecture. Finally, they could use purpose-built SSL hardware accelerators (although these tend to favour AES and could leave them vulnerable to BEAST attacks, so this is considerably non-optimal).

 

Edit: I forgot to mention the simplest solution: serve static content off a separate server running nginx with the open_file_cache on. Grab a simple domain wildcard cert for $200, you don't need EV for static content, and then hinge your static content off static.bidorbuy.co.za. Uploads can still go to the regular web server and you can rsync images up every second, thereby creating a CDN-like architecture and mitigating the issue with CDNs not having nodes in SA (although Akamai does). This can be pushed out further either by creating separate nodes (static1. static2. etc.) and having the JSP pick a pseudo-random node to serve the content on the page as it creates links OR by doing round-robin DNS load balancing on the static servers behind static.bidorbuy.co.za. Round-robin would definitely work in this case as you don't need session stickiness for static objects, and it means the JSP has to do less work during page generation. You could even have a reasonably large keep-alive timeout (say 25 seconds), because the server will max out long before it becomes TCP-bound. Also, nginx has a GREAT SSL cache that vastly reduces SSL performance hit. By means of a comparison: one of the sites on our server bank at a Steadfast DC in New York does 2gbps on a set of 10GigE backbones nearly continuously except for a few hours every day where most of America east-to-west is asleep. I know that 8tb of traffic in a month is a "big deal" for BoB, but that site does 8tb in three days, and every request is served over SSL. I've setup a similar CDN-like infrastructure for static objects there (that uses round-robin DNS for static objects), and the interconnects between the webapp bank and the static bank is Infiniband, which solves the issue of rsyncing thousands of constantly changing images over crummy Ethernet interconnects.

Edited by MaxiTrading

Share this post


Link to post
Share on other sites
Little Miss Muffet

Thank you for the explanation. I digested some of it

You remind me of my IT son. I ask him a question about computers and lose him along the way.

He set up my Bidorbuy and showed me how to operate it. So not knowing much about the programme set up I don't question anything but just press the right buttons and carry on in my old merry way.

My son was a victim of identity theft to the tune of R150,000.00

He lives in the UK and had a car account which was paid up with Absa before he left South Africa

The car was bought in South Africa and the photograph of this portuguese looking guy on his ID.

They found the car about 3 years later.

He will not operate any financial matters online if it involves South Africa.Dad does all his South African finance from his South African account

Edited by geewhizz

Share this post


Link to post
Share on other sites
TribalTrade

Firstly, I have no idea what these IT fundies are talking about!

 

I have been getting the following pop-up message for the past week or so, everytime I log into my sales page:

 

SECURITY WARNING!

Do you want to view only the webpage content that was delivered securely?

This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.

Then I have the option to choose YES or NO.

I have chosen both, and then my login page opens.

This was never a feature on my login page for years?

Share this post


Link to post
Share on other sites
MaxiTrading
Firstly, I have no idea what these IT fundies are talking about!

 

I have been getting the following pop-up message for the past week or so, everytime I log into my sales page:

 

SECURITY WARNING!

Do you want to view only the webpage content that was delivered securely?

This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.

Then I have the option to choose YES or NO.

I have chosen both, and then my login page opens.

This was never a feature on my login page for years?

 

This is exactly the same problem I've described - it's a recent issue. You can fix it by copying the sales page URL that is in your address bar at the top fo your browser (eg: https://www.bidorbuy.co.za/jsp/seller/sales/Sales.jsp?nc=100.1234567890) by right clicking on it and choosing "Copy". Then right-click the still-selected URL and choose "Paste". It will paste the full URL into your address bar - now merely take the "s" out of https:// and press enter.

Share this post


Link to post
Share on other sites
TribalTrade

I have done that when logged in. I logged out, and logged in again. I still get the same message. Did this 3 times.

I would rather let the fundies sort this out until it disappears.

In the meanwhile I will just keep on clicking "Yes" or "No".

Share this post


Link to post
Share on other sites
RISadler

geewhizz, here's the short version ... 'cause MacMuffin says so ...

 

We take privacy and data security very seriously ...

Share this post


Link to post
Share on other sites
Little Miss Muffet
geewhizz, here's the short version ... 'cause MacMuffin says so ...

 

Well if MacMuffin created the new sales page I shall be ever grateful. He has made improvements to Bob.

Do we ever give him credit or thanks for the good he has done.

If he wants it the way he wants it to be "Let him be"

As I have said I just trade and don't question the running of the programme as I "know nothing" to quote my son if I question his judgrment.

I detest the fact that the new listing page will not allow us to look for the photo's we need to load before we choose a category.Sometimes I take photo's and only load them the next day forgetting what they are.

It is irritating but I just carry on and let it be.

Share this post


Link to post
Share on other sites
RISadler

geewhizz, I guess we differ in attitude and philosophy ... I'm a revolutionary - it started at school, going against rugby, Apartheid, etc. - and feel that people must not accept things as they are simply because those who are "are'ing" are in power and/or an authoritative position. If something doesn't work as it should, the people responsible should fix it, and being the best does not necessarily mean you are doing a good job.

 

The problem with software development, especially in-house, is that they do not understand the Pareto Principle. The result is what we see on BoB these days.

 

Also, on a semi-personal level, I think your son is completely wrong in simply dismissing you with a "know nothing" statement. He should strive to educate you with the knowledge needed insofar to understand how exactly things work. Knowledge is what frees people from domination, and ignorance is the tool of the oppressor.

 

Let me just (mis)quote A.C. Clarke in summation of the whole computer/Internet revolution, "Any sufficiently advanced technology will look like magic."

Edited by RISadler

Share this post


Link to post
Share on other sites
Guest MacMuffin

Hi all,

 

we will go through MaxiTradings response in more detail early next week and look exactly why under certain circumstances the mixed content issues occur. MaxiTradings analysis has certainly pointed us in the right direction that in some cases the login redirects pages to HTTPS where it shouldn't. This then results in mixed content warnings (i.e. some content is served via our HTTPS and other via our HTTP connections).

 

I would have appreciated it if our dialogue was of the same quality level as MaxiTradings #14 post as it technically described what happened and how one can reproduce it. This has now given us enough detail to correct that specific issue.

 

We are always prepared and value feedback (that's why we have our feedback section) and it would have been more constructive to post content like in MaxiTradings #14 thread in the feedback section allowing us to look at the issue at hand and the suggestions. Posting a vague tweet did not help anyone trying to get to the bottom of this.

 

We are always open to suggestions from our userbase as we are building this business together and we have added many feature requests from users where we felt that it will benefit everyone. Sometimes we have to make decisions which protect the interests of the business and our marketplace and we try to accommodate users when we have to make those decisions. So the point really is that we need constructive feedback to improve our business.

 

Can I please ask everyone to maintain professional conduct on the forum, it serves really no purpose to troll or insult people.

Share this post


Link to post
Share on other sites
Little Miss Muffet
geewhizz, I guess we differ in attitude and philosophy ... I'm a revolutionary - it started at school, going against rugby, Apartheid, etc. - and feel that people must not accept things as they are simply because those who are "are'ing" are in power and/or an authoritative position. If something doesn't work as it should, the people responsible should fix it, and being the best does not necessarily mean you are doing a good job.

 

The problem with software development, especially in-house, is that they do not understand the Pareto Principle. The result is what we see on BoB these days.

 

Also, on a semi-personal level, I think your son is completely wrong in simply dismissing you with a "know nothing" statement. He should strive to educate you with the knowledge needed insofar to understand how exactly things work. Knowledge is what frees people from domination, and ignorance is the tool of the oppressor.

 

Let me just (mis)quote A.C. Clarke in summation of the whole computer/Internet revolution, "Any sufficiently advanced technology will look like magic."

\

 

My son is a well mannered ,well adjusted young man and all three of my boys use the term"Mom you know nothing". It is a standing family joke because only as they got older and told me at family gatherings about all the naughty things they got up to,they would add "Mom you know nothing" In other words they probably did far more than I know.

To be honest my son who programmes is the one with the least patience and I find it easier to call one of his South African friends if I need help.

I have taught myself a lot anyway but how computers are programmed is for the IT guys.

My brain is full of collectables.One day I am going to write a book and MacMuffin won't understand it.Then I can say "MacMuffin knows nothing":laugh:

Share this post


Link to post
Share on other sites
Guest MacMuffin

My brain is full of collectables.One day I am going to write a book and MacMuffin won't understand it.Then I can say "MacMuffin knows nothing":laugh:

 

You don't have to write a book about it. The collectibles category scares me already enough as it is (followed by the craft category) ;-)

Share this post


Link to post
Share on other sites
Little Miss Muffet
You don't have to write a book about it. The collectibles category scares me already enough as it is (followed by the craft category) ;-)

 

I would certainly change some things in the antiques and collectables catagories but who would listen to me anyway?

Bidorbuy still rocks!!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...