Taxis and security

It is quite encouraging that citizens taxed in Greece are able to file their tax reports through the Web, at the Taxis Website. Sadly, it has been reported that standard-compliant Web browsers are not supported by the Taxis Website. If you are affected, do complain about it! If you file taxes and you are affected, file a report.
Let’s see some more issues.

A. The main login page is not configured properly with regards to the autocomplete feature found in modern browsers; as is, your username and password get saved by default in your browser. If your computer is stolen or a trojan horse gets installed on your computer, your tax details are gone! 🙁

The Web developer should modify the HTML code from

< span class=“textblue2″>< b>user name: b>span>
< input type=“text” name=“username” maxlength=“40″ size=“15″ value=“testing”>
< P>< span class=“textblue2″>< B>password:B>span>
< input type=“password” name=“password” maxlength=“40″ size=“17″ value=“testing”>

to

< span class=“textblue2″>< b>user name: b>span>
< input type=“text” name=“username” autocomplete=“off” maxlength=“40″...
< P>< span class=“textblue2″>< B>password:B>span>
< input type=“password” name=“password” autocomplete=“off” maxlength=“40″...

B. The page http://webtax.gsis.gr/taxisnet/login.do claims that users are protected by Verisign (SSL/TLS). Quite sadly, the intent has probably been that users will connect through the proper URL, at https://webtax.gsis.gr/taxisnet/login.do. Dear Taxis, you should place an HTTP redirection to move all users to the SSL/TLS-protected URL. You are in breach of your Verisign license!

The image “https://i0.wp.com/static.flickr.com/55/110197352_d60be48ab3_o.png” cannot be displayed, because it contains errors.

I will follow on the above report here.

Actually, it would be much better if the web server is SSL/TLS only (no plain HTTP version available). The web server should be configured at any access to a URL under http://webtax.gsis.gr/… should redirect to https://webtax.gsis.gr/.
C. What is worst of all, the website provides content in the 8859-7 8-bit legacy encoding. It is much better to convert to Unicode and UTF-8. I do not know if users have to write text in Greek for their tax forms…
I don’t file taxes so I am not sure if there are more issues once you logon.

Update: The http://webtax.gsis.gr/taxisnet/login.do URL does not work anymore (it forwards to another Website which is down). I did not hear back from Verisign; it’s possible that the two events are linked together.

2 comments

  • Unique Fish

    Wow! That’s a serious one. Probably the average user won’t manage to get to the non-ssl login page but the bug is still there!! The ‘new’ system looks as if was brought into production in a rush. Pity.

    I already complained to GSIS about the lack of W3C compliance and notified Verisign about the misuse of their seal. Let’s hope that this will reach someone who cares.

  • Unique Fish

    IMHO, it’s not fixed by GSIS. Probably Verisign does not provide certificate authentication for the page if the referrer is different than the main site of GSIS. You can still access the page without TLS/SSL by going to the https front page for E1 via the front page of GSIS and then manually removing the ‘s’ from ‘https’ in the URL.

Leave a Reply

%d bloggers like this: