Macoles Self Catering

Self-catering holiday booking website login and registration via insecure connection

http://www.macoles.com/User#Login

What is the problem?

Curiously, while this website does support encrypted connections, it relies on JavaScript code embedded in the page and executed client-side to perform the upgrade to a secure connection (instead of handling it the traditional way by forcing it server-side). This is an unusual implementation because client-side content delivered insecurely cannot be trusted.

As of 6th August 2018, view the page source and see lines 39-47 for the JavaScript:

<script type="text/javascript">
//<![CDATA[
function RedirNonHttps() {
  if (location.href.indexOf("https://") == -1) {
    location.href = location.href.replace("http://", "https://");
  }
}
//]]>
</script>

Disclosure Policy

Prior to public disclosure, notification about any privacy or security issues discovered were sent by email to the operator of this website on 6th August 2018, using either an email address publicly discoverable on the site, or the RFC 2142 standards compliant address "webmaster@..." if no public email address was provided.

At time of posting the issue had not yet been resolved.