The Worst Websites On Earth, 2016
Usually when I talk about the worst websites in the world, 99% of the time I’m talking about Twitter and the foul celebs, scoundrels and other ne’er-do-wells who post on it. Today though, I’m talking about the worst from a data security standpoint. Sites that are incredibly popular (ranked 10,000 or better according to alexa.com) and still configured like it’s 2003.
To set this up—it’s an increasingly common opinion that there is absolutely no excuse in the modern age for a big business to poorly run a website. If you make any kind of money through your site, whether you’re serving just a brochure or a full-blown ecommerce thing, it’s impossible to justify a lack of basics like sitewide SSL, SPF and so on. For the non-nerds reading this—these are additional security improvements which are practical, cheap and easy. (Like me!) And they go a long way toward making websites and their users safer.
We’re able to see how badly sites suck thanks to a tool my much smarter coworkers put together to grade how well (or unwell) a website is set up. Being that many of the top 10,000 Alexa-ranked sites are strange foreign porn sites and torrent trackers, I took the liberty of going over the list by hand and picking out just sites I’ve heard of before to keep this article brief. (Imagine 400+ variations on the url ‘grandma-pleasures.biz.ru’ and you get what the list looked like.) Each site has been given a score between 0 and 950, higher being better. I’m also not going to link to them because I don’t want them to know I hate them.
The following highly popular sites are bad at security:
hobbylobby.com — 155
anandtech.com — 192
stamps.com — 198
surfsecured.net — 213
egypt.gov.eg — 238
youjizz.com — 240
liveleak.com — 240
bmwusa.com — 240
zazzle.com — 242
dx.com — 243
imagevenue.com — 243
corsair.com — 249
frys.com — 254
encyclopedia.com — 255
samsung.com — 271
kmart.com — 284
monoprice.com — 290
cosmopolitan.com — 294
hobbyking.com — 297
tigerdirect.com — 298
“But Jon,” you’re saying in my imagination, “who cares if Cosmo or Encyclopedia.com are insecure? And places like Stamps.com and Kmart probably have all their transactions happening on a separate, secure server. Who cares?” You should care, fucker, because it’s depressingly easy for some weiner to come along and perform a man-in-the-middle attack or something else to ruin your afternoon. It’s not farfetched and it’s not very rare.
Here are some other websites that I hate with my life:
mo.gov — 300
maryland.gov — 311
ca.gov — 324
gamestop.com — 325
dailymotion.com — 334
gamespot.com — 334
allmusic.com — 337
secondlife.com — 337 (hello dear would u like to sexy 3d chat)
cafepress.com — 338
orientaltrading.com — 340
microcenter.com — 340
uspto.gov — 359
fda.gov — 359
wsj.com — 376
sears.com — 376
directv.com — 377
jetblue.com — 378
pizzahut.com — 378 (shit’s nasty any damn way)
toyota.com — 380
msn.com — 386
deviantart.com — 386
macys.com — 386
verizon.com — 386
starbucks.com — 388
officedepot.com — 388
modcloth.com — 389
safeway.com — 391
I had that grilled cheese pizza from Pizza Hut over the weekend and it was fucking disgusting, so they definitely can’t use the excuse that they are too busy working on pizza to fix their shit.
This begs the question: If a site’s IT people can’t be bothered to run a tight ship up front, at the first point of contact with potential new users, how bad are the controls on the data they already have? Are they doing the right thing, storing sensitive information/credit card numbers/passwords properly? Or are they putting about as much effort into it as they do these disgraceful web servers?
If you’ve never thought about how big companies store your data, maybe you should. But if you still refuse to think about it, here’s a pic from my computer that I’ve been looking for a reason to post:
