Viridian Sciences caught a little heck last week for their post claiming that the WSLCB site (previously) at http://www.mjtraceability.com/ was being used over a non-encrypted connection.
In fact, the LCB has flatly denied this.
We don’t have any recordings of our findings but, reviewing browser history going back over a few months we could see that the following was true.
- http://www.mjtraceability.com/ was begin served over a non-encrypted connection (until at least Jan 12, 2015). This site did not even try to direct people to an encrypted connection.
- Visiting the encrypted connection at https://www.mjtraceability.com/ issued a warning, because the certificate name did not match.
- The certificate was issued to ‘wslcb.mjtraceability.com’
- The site was accessible at https://wslcb.mjtraceability.com' – but accessing by this name, over SSL was not enforced.
- Both the www.@ and wslcb.@ sites are the same system.
- Compare to WeedTraQR.com which always enforces an SSL connection to our site, and removes the ‘www.’ prefix.
As of the 14th of January 2015, the WSLCB system is now enforcing access over SSL and using the proper name. This is a good thing.
If you’ve been using mjtraceability.com over the last few months you can check your browser history – it will show page access (/client.html, /loading.html) over non-encrypted connections. You won’t see other page views because of the architecture of the WSLCB application (it’s basically and embedded desktop app played over video)
All the Training Videos show they were created on the non-encrypted site at http://wslcb.mjtraceability.com/ – further backing the findings of Viridian Sciences. This video https://www.startmeeting.com/wall/recorded_audio?audioRecordingUrl=https%3A%2F%2Fwww.startmeeting.com%2Fr%2FO3L6A%252FjoGku&subscriptionId=1334333 shows that as late as March 13 the system was not enforcing an encrypted connection.
Let’s hope the other security issues on the API side get resolved soon.