Update 2015: Since the writing of this article, Lowes has taken action to improve the LowesLink situation. They now have an actual web-app that does not require Java and it seems to work better. I will provide a better review of LowesLink when I have more time. They are also using TwoFactor Auth now when you login with a new computer.
I wrote about Loweslink a few months ago, after years of frustration supporting several clients that use Lowe’s Home Improvement Warehouse vendor portal.
You can read through the above post, but in a nut-shell, LowesLink is a Java based portal and, due to both their technical requirements and support recommendations, anyone that uses it is very likely running an old and insecure version of Java in their browser. As a result, most, if not all Lowe’s third party vendors, and likely a good number of their employees, are at a significantly increased risk to virus’s and other computer infections.
Since my writing, Lowe’s has improved their documentation online, as well as removed some of the more criminally negligent advice, like disabling updates to Java and their statements that a 2 year old version of Java is the only supported version.
However, ultimately, it is still the same pig, just with a slightly nicer shade of lipstick.
Main Changes to LowesLink Documentation:
– Removed advice to disable Java Updates
– Updated Documentation to indicate that newer versions of Internet Explorer do work with it
– Direct users to disable insecure/mixed content warning in Internet Explorer
Removed advice to disable Java Updates
In the past, both via their trained telephone support staff and online documentation, LowesLink has directed users to install an old and insecure version of Java, as well as disabling automatic updates.
Since they updated their documentation, Lowes no longer directs the user to disable Java updates on their computer and even mention that a newer version of Java 6 works in some cases.
However, they still recommend installing a version of Java that is no longer supported, stating:
To get the old version, they direct their users to visit oldapps.com to get the old, unsupported version of Java.
What makes this so bad is that Java in the browser is responsible for a large percent of all computer viruses, if not the largest factor. There is almost always a known unpatched Java exploit and that is for the most recent version and doesn’t take into account 0-days. Directing users to install an old version of the Java browser plugin is criminally irresponsible.
Updated Documentation to indicate that newer versions of Internet Explorer Work with LowesLink
This change to the LowesLink documentation is good. I have had Internet Explorer 9 with a new version of Java working for at least a year, if not longer with a client.
In the past, they directed Windows Vista and Windows 7 users to downgrade to Internet Explorer 8, even though as I mentioned, at least for the type of work my vendors do, it has worked okay in Internet Explorer 9 for awhile now.
Direct users to disable insecure/mixed content warning in Internet Explorer
One issue with Loweslink is that instead of serving all of their content via an encrypted SSL connection(HTTPS,) they serve some resources via an un-encrpyted connection. At least on the login page, I believe this was mostly images, but I haven’t looked in awhile.
Most browsers will warn you in some way when this happens, as it opens the user up to several attacks and can compromise the security of the browsing session.
Internet explorer makes this the most obvious, as you get a counter-intuitive popup every time you visit a page that loads content insecurely, warning you.
Rather then fix the issue, which can often just as simple as ensuring all resources are loaded via HTTPS, instead of HTTP, Lowe’s now directs users to disable the warning.
So, the content still gets loaded insecurely on Lowe’s, with the added bonus of removing this warning from ALL other websites as well.
So, for example, if a user goes to their bank website(or an attack/phishing website) and there is a similar issue with mixed content, they won’t see a warning that their account info could potentially be leaked.
The above are the exact instructions, which lead to a document showing how to disable this important, albeit often annoying and counter-intuitive, warning from Internet Explorer.
It is good that Lowe’s has finally updated their documentation. Before it had references to 2011 and I can say that it hadn’t ever been updated in the 2-3 years I have been supporting it. Now, they even have a revision date on some of the documentation.
However, they haven’t really changed anything. It looks a bit nicer and the advice is a bit better.
However, Lowe’s is still getting vendors to install an insecure version of Java, which significantly increases the risk that a vendor will get a computer virus. And, Lowes is still recommending changes to browser settings that further decrease browser security.