This security critique of the Tesco website is a hoot. It walks through an increasingly deep, and increasing damning, look at what is wrong with their setup, and how you can tell. The critique is well peppered with links to additional content about the problems being described, so it’s not a bad starting place to learn something about web security. It is also an accessible illustration of the type of exploration and deduction that can be used to profile a system and its vulnerability. Finally, to me, it reads as a nice lesson in why you can’t just “throw some security on your site” without real expertise. I like the concept of “unconscious incompetence” being used to describe the situation where incompetence (here about security) is being compounded by a lack of awareness of the incompetence. If you at least know what you don’t know, you’re moving a step in the right direction!
Glimpses of the websurfing habits of a computer science professor, obsessive crafter, occasional gamer, and all around geek