If you feel very strongly about changing the title, try it…it’s free.
@Ndianabasi & @MrASulaiman while I’m sure a lot of people share your concerns (and see sense with a lot of them), maybe… just maybe, there’s nothing new to add again until https is implemented. Of course the importance of having this basic security has been emphasised (over and over again), so now we all know.
However, there’s nothing left to proof at this point, right? Give the man space to do the right thing.
1 Like
Thank you @MrASulaiman and @Nosa_O for your great submissions.
I also respect your opinions @manifest and @PapaOlabode. But you see, this post is about doing the right thing and holding the right of the privacy and security of the a customer as sacrosanct.
The recent Apple-FBI Privacy case in the US shows how much high regard the developed world regards customers privacy and information. Apple says she built the iPhone with no backdoor, so is even unable to hack into the evidence as requested by the FBI. Apple is even fighting the government regarding the FBI’s right to ask for “dead” customer’s information.
I’m a Nigerian, so somehow I’m used to seeing “I don’t care” and “anyhowness” attitudes everywhere. And when someone stands up to talk against it, you are labelled with names and accused to have a hidden agenda.
Once, I reiterate that the right thing to do is for Hotels.ng to implement HTTPS for the safety of the information transmitted between their server and customers’ browsers!
Unless, the Radar administrators delete this thread or lock it down, we’ll continue to post updates until the lovely “green bar” or “green padlock” appears on the site. As a server administrator, I know that it wouldn’t take me more than 3 hours to set up HTTPS on any server. If there are any complications, it wouldn’t take me more than a day to fix all of them!
I’m sorry if this has hurt anyone’s feeling but it’s the right to do.
2 Likes
I agree…
Mark is playing poker-feelings with the obvious concerns raised here. They bulged at the overly obvious ones, but unlooking the SSL bit.
I can understand why it may be low priority.
The average Nigerian online has no idea what browsing on an SSL connection looks like, not to talk of the benefits.
But the day will come, when you have to set up SSL even before you install your site theme, but it’s not today!
1 Like
So at Hotels.ng’s Privacy Policy Page, the company, unequivocally, stated:
Security
Unfortunately, no data transmission over the Internet can be considered 100% secure. However, your Hotels.ng Information is protected for your privacy and security. In certain areas of our websites, as identified on the site, Hotels.ng uses industry-standard SSL-encryption to protect data transmissions.
We also safeguard your personal information from unauthorized access, through access control procedures, network firewalls and physical security measures.
Further, Hotels.ng retains your personal information only as long as necessary to fulfil the purposes identified above or as required by law.
So even Hotels.ng understands the importance of using industry-standard SSL-encryption to protect data transmissions
A Privacy Policy is meant to be a “pact” between a company and her customer and customers are meant to review it before signing up for your service. So is Hotels.ng living up to their own end of the bargain? Your answer is as good as mine!
As at 2003 hours, March 26, 2016, there’s “no joy” yet at Hotels.ng!
I[quote=“Ndianabasi, post:64, topic:4870”]
I’m a Nigerian, so somehow I’m used to seeing “I don’t care” and “anyhowness” attitudes everywhere.
[/quote]
Thanks for standing up for something. and I’m sure a few people would have learnt the importance of implementing this.
However in regards to below, while I’m sure no one is thinking of any drastic action but how many updates should we be expecting from you? I mean what are we really talking about here; every 3 hrs, twice a day, daily, weekly or monthly (who knows, he just might not care). Or whenever you so desire, you will update to let us know?
Thank you @PapaOlabode. As you may have noticed already, I post daily update regarding the status of the site (mostly in the evening). This will continue daily. However, this doesn’t exempt me or others from replying to conversations as they ensue.
I haven’t noticed actually. I just noticed today that it was getting repetitive, which of course signals that it could degrade the experience for others.
But you’re right, it’s still a normal thread if daily updates and others are engaged. So good luck with the campaign. We might need to print t-shirts at some point!
2 Likes
@PapaOlabode: The above are daily updates from me and @MrASulaiman. Updates like these will be done daily, however, normal conversations continue anytime here. Outside the daily updates, I can’t stop anyone from replying to any comment here.
1 Like
Duplicate response…
OK Dude. I really do respect your persistence and I do believe that we need more folks like you in this world. So keep up the good fight. However, you are doing the wrong way. If hotels.ng wont listen to you, then speak the people that they will listen to. I will suggest that you speak to the Yahoo boys that there is a place online that they can easily harvest the credentials of people that have money to pay for online services in Nigeria. So my donation to your campaign is to teach these Yahoo boys how to get this information.
So my dear Yahoo boys, please visit http://www.hacking-tutorial.com/hacking-tutorial/how-to-sniff-http-post-password-via-network-using-wireshark-network-analyzer/#sthash.6YIgbLHa.dpbs as it has a very good tutorial on how to get credentials off websites without HTTPS. Make sure that your sniffer is installed closer to the egde of the network so that you can cast the net as wide as possible. If you walk around Otigba there are hardware based sniffers that you can install on an ISP network to even further widen the net. If you get caught you are on your own and remember not pick your soap when it drops when you are dumped at the other side.
Now with that out of the way, is a more worrying part that I believe my good guy @xolubi needs to explain to us, I can see email, id and key URL parameters sent to standard.paystack.co in plain text from hotels.ng website, whats up with that? I have made a video of it and my fellow Agberos and our cousins in Russia has started dissecting the video to see if there an opportunity for us to hold you hostage and tax some of the money you are about to collect from YC 
.
So whats that about?
2 Likes
That’s all public info though. Including the well, public key… and only viewable on the browser of the person making the payment as the connection to Paystack is over TLS v1.2 uhm… besides that it got to the user’s browser by being transmitted over the wire in plain text from hotelsng’s servers.
Anyway I guess unless the guying making the payment is trying to hack himself, or has people after him monitoring his hotel booking activity, all is well.
3 Likes
Unfortunately this was logged to a sniffer with a SSL decryptor that is external to the user’s device. The device in the middle exchanged keys with you guys on behalf internal user, that’s why it can decrypt the traffic headers from the user but not the application data. Now these URL parameters are clearly seen in the headers. Even if the key and ID parameters are jargons (which i doubt), the email is not jargon… This is why most platforms do not send data via URL parameters even in HTTPS and even try to further encrypt it data payload before sending it via HTTPS.
Please correct me if I am wrong.
Also buy one of the security guys at YC a coffee and ask for a second opinion…
1 Like
##Wow.
I’m not sure why this thread is so long though. Hotels.ng is ‘unsecured’; ok.
I’m pretty sure someone from Hotels has seen this thread. Now, it’s for them to do something about it (or nothing).
It’s also for you to use Hotels.ng (or not) and advice people to use it (or not use it). Short of forcing them to do a sprint to implement SSL, I’m not sure what the point of this thread is and so I’ll close it and tag @mark in it so we’re all doubly sure he’ll be notified. Thanks a lot!
3 Likes