Update 2015: Since the writing of this article, Lowes has taken action to improve the LowesLink situation. They now have an actual web-app that does not require Java and it seems to work better. I will provide a better review of LowesLink when I have more time. They are also using TwoFactor Auth now when you login with a new computer.

I wrote about Loweslink a few months ago, after years of frustration supporting several clients that use Lowe’s Home Improvement Warehouse vendor portal.

You can read through the above post, but in a nut-shell, LowesLink is a Java based portal and, due to both their technical requirements and support recommendations, anyone that uses it is very likely running an old and insecure version of Java in their browser. As a result, most, if not all Lowe’s third party vendors, and likely a good number of their employees, are at a significantly increased risk to virus’s and other computer infections.

Since my writing, Lowe’s has improved their documentation online, as well as removed some of the more criminally negligent advice, like disabling updates to Java and their statements that a 2 year old version of Java is the only supported version.

However, ultimately, it is still the same pig, just with a slightly nicer shade of lipstick.

Main Changes to LowesLink Documentation:

– Removed advice to disable Java Updates

– Updated Documentation to indicate that newer versions of Internet Explorer do work with it

– Direct users to disable insecure/mixed content warning in Internet Explorer

Removed advice to disable Java Updates

In the past, both via their trained telephone support staff and online documentation, LowesLink has directed users to install an old and insecure version of Java, as well as disabling automatic updates.

Since they updated their documentation, Lowes no longer directs the user to disable Java updates on their computer and even mention that a newer version of Java 6 works in some cases.

However, they still recommend installing a version of Java that is no longer supported, stating:

loweslink java requirements

To get the old version, they direct their users to visit oldapps.com to get the old, unsupported version of Java.

What makes this so bad is that Java in the browser is responsible for a large percent of all computer viruses, if not the largest factor. There is almost always a known unpatched Java exploit and that is for the most recent version and doesn’t take into account 0-days. Directing users to install an old version of the Java browser plugin is criminally irresponsible.

Updated Documentation to indicate that newer versions of Internet Explorer Work with LowesLink

This change to the LowesLink documentation is good. I have had Internet Explorer 9 with a new version of Java working for at least a year, if not longer with a client.

In the past, they directed Windows Vista and Windows 7 users to downgrade to Internet Explorer 8, even though as I mentioned, at least for the type of work my vendors do, it has worked okay in Internet Explorer 9 for awhile now.

Direct users to disable insecure/mixed content warning in Internet Explorer

One issue with Loweslink is that instead of serving all of their content via an encrypted SSL connection(HTTPS,) they serve some resources via an un-encrpyted connection. At least on the login page, I believe this was mostly images, but I haven’t looked in awhile.

Most browsers will warn you in some way when this happens, as it opens the user up to several attacks and can compromise the security of the browsing session.

Internet explorer makes this the most obvious, as you get a counter-intuitive popup every time you visit a page that loads content insecurely, warning you.

Rather then fix the issue, which can often just as simple as ensuring all resources are loaded via HTTPS, instead of HTTP, Lowe’s now directs users to disable the warning.

So, the content still gets loaded insecurely on Lowe’s, with the added bonus of removing this warning from ALL other websites as well.

So, for example, if a user goes to their bank website(or an attack/phishing website) and there is a similar issue with mixed content, they won’t see a warning that their account info could potentially be leaked.

loweslink mixed content_warning

The above are the exact instructions, which lead to a document showing how to disable this important, albeit often annoying and counter-intuitive, warning from Internet Explorer.

Conclusion

It is good that Lowe’s has finally updated their documentation. Before it had references to 2011 and I can say that it hadn’t ever been updated in the 2-3 years I have been supporting it. Now, they even have a revision date on some of the documentation.

However, they haven’t really changed anything. It looks a bit nicer and the advice is a bit better.

However, Lowe’s is still getting vendors to install an insecure version of Java, which significantly increases the risk that a vendor will get a computer virus. And, Lowes is still recommending changes to browser settings that further decrease browser security.

Advertisements

I am a pretty big fan of VirtualBox and use Mysql a lot, so I must admit the takeover of Sun by Oracle was a sad day for me. (Yeah I know in Internet Time it happened a long time ago, I have been busy :D)

When I was in school, my first database class used Oracle, but I really didn’t like the interface of it, nor did I like their restrictive enterprise business model, with the standard version being restrictive and less secure. So, having already been familiar with Mysql, I made a point to take the rest of my credits in classes that used Mysql.

Now that Oracle owns Mysql, which is one of the biggest competitors to their own for profit closed source Database, I can not help but think that this is going to have a major impact on Mysql’s Future.

I have not always been the biggest fan of Sun, mostly because I prefer C++ to Java, but with that said, I have done a lot of Java development and really like how easy it is to make a cross platform program that works in Linux, Windows, and Mac OSX. This kind of makes up for the performance issues and general Kindergarten feel of Java, which are the two main issues I have with it.

However, despite some of my trepidations about Java, I still had a great deal of respect for Sun and its products, because they were a tremendous asset to the Open Source Community. So, suffice it to say, that I was not just sad about loosing Mysql and VirtualBox to Oracle, but also at the end of Sun as a Company.

Now it is possible that Oracle will step up to the plate and continue to live up to the ideals that Sun did, but I can not help but think that as they now own the chief competitor to their for profit database, development for Mysql will be halted or at the very least cut back on so as to make the Oracle Enterprise Database the full version and the Mysql one the scaled back version.

I guess ultimately, this means that it is time for a Fork or to support one of the existing Forks, such as Drizzle or MariaDB. The latter, MariaDB is being developed with the support of Monty Widenius, who was the founder of Mysql and the lead developer of MariaDB.

I wish Sun could have made it through these tough times…