Back in January, I blogged about the security holes in the ePass system, the online application that allows you to login to Canadian government websites. It all started when I noticed some fundamental flaws in the Canadian passport website after Chris had already exposed last April how generally frustrating it is to use.

Developers from the Passport Canada office (their IPs point right back to them) started leaving nasty comments on my blog:

Now, now. Everybody must live with the frustration of a world not as perfect as our own little person.

If the Passport application system was able to handle a sudden increase (what? 500% maybe? thanks to USA) without a glitch, it would mean that for many years this system had been running with way too much bandwidth and server muscles. Who would be crying then? Chris, Jonathan, Clay and their friends would be crying to the world that the government was wasting money all these years running such a system! (source - “Jo Blo”)

And on my friend’s blog:

do you know anything about security… whiner

if you can’t even figure out who built it you must be a simpleton.. oh yeah u use a mac … (source - “dl”)

Well this week, Passport Canada had to be completely shutdown for two days when someone noticed that they were saving login credentials in a browser cookie. That is egregious error by a web-developer, and shows a completely disregard for security practices. Now, after two days, they are back online and saying, “Now the Internet site of Passport Canada is one of the most secure” (source).

Are you serious?! Firstly, how are you determining that? Put your site on HTTPS all you want; you cannot repair application security holes through anything but a complete line-by-line examination of your code-base.

Secondly, the security hole I found is still there. You may have found and patched one hole, but the entire system is still open to exploit.

In the end, as a citizen myself, these websites are trying to protect my information and I want to help. I emailed Passport Canada and the CRA to try to get in touch with someone that way. Please, if you read this, drop me a line in the comments. I will do whatever I can to help you close these holes. Even if you don’t believe me that there are some, what do you have to lose?