fbpx

Tech giants using the tech wrong

Boeing’s messy corporate website gives you a clue about the level of IT expertise… vs Airbus?

by , , revisited on


We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

In our second episode of Tech giants using the tech wrong series, here’s a technological comparison between Boring and Airbus corporate websites with an increased accent on Boeing. Taken in the context of Boeing’s 737 MAX groundings, it might give some leads on:

  • Whether you should be flying an airplane developed by a company who can’t even manage to build a website that supports modern & secure technologies
  • Whether you should be buying a stock of an airline company which uses low paid workers for their IT tasks

Disclaimer

Anyone can do the same lookups I did below. It doesn’t involve any hacking as the information about the software used / development level is obvious from the publicly accessible information. It may be not so obvious for less technical people. But I put it out in one concise page, so you get a real, not opinionated overview on which company is of a more mess. Why?

Failing to manage an IT artifact like corporate website, clearly shows overall management failure to keep all the pieces of a company together in a good shape. By looking at one area of operation, you can make conclusions on the overall health of operation for a given company.

In the overview below you can clearly see that it is highly likely that Boeing uses low paid, least technical developers and engineers for their corporate website.

Security

The Boeing website does not enforce TLS encryption:

Boeing fails to enforce TLS on their corporate website
Boeing fails to enforce HTTPS on their corporate website

It also fails to load all assets using secure protocol when using it. A classic mixed TLS content issue:

Boeing fails to enforce HTTPS on their corporate website
Boeing website fails to load all assets securely

While someone could argue that no classified information is to be transferred while accessing the website, this is outrageous for a company the size of Boeing and poses its own risks. For example, the ability for interested “man in the middle” players to substitute an authentic version of the website with the version of their choosing.

And it wouldn’t be hard to do so: clicking the “Read more” as seen the screenshot, leads to mediaroom website, where the logo is linked back to insecure http://www.boeing.com/.

Encryption level

All of us, mortal folks, setup NGINX with latest OpenSSL to make use of TLS 1.3, and some are even breaking their bones while doing it.

But not Boeing. They can’t even get the certificate installed properly!

This server’s certificate chain is incomplete.

Boeing corporate website certificate
Boeing corporate website – not even certificate installed properly

Performance

HTTP/2

Forget about HTTP/2 with the Boeing website. It’s the year 2019 and the majority of browsers support the new faster protocol.
But who needs those pesky multiplexed connections that it provides?

Caching

It is questionable why for a largely static website, Boeing is using heavy Java-based software and load balancer.
In fact, the search is the only apparent dynamic function on the site.

The software, as well it’s version are well advertised using HTTP headers:

Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AC62E5442BE9E6B90D4C11BF42CF3ED6; Path=/

Apparently, Boeing does very little to cache things on a highly static Java-based website, so they need a load balancer:

$ host www.boeing.com
www.boeing.com is an alias for www.lb.boeing.com.
www.lb.boeing.com has address 130.76.184.138
www.lb.boeing.com has address 130.76.184.142
www.lb.boeing.com has address 130.76.184.139

I could see why they might need it – search. However, checking the homepage with two consecutive requests indicates no full page caching is done on the server-side:

Set-Cookie: JSESSIONID=01E75A221FE0A03DD0246EA0924316BF; Path=/
Set-Cookie: JSESSIONID=B0D2DB7C9577C6D52A148B253953875D; Path=/

As you see, it starts a new session every time, so Java is invoked upon each request. The conclusion is that much of the load balancing stuff is a mere attempt to compensate for the lack of something as trivial as full page cache.

How it looks like in a simple analogy: you need to go to the grocery to buy some food, because the fridge is empty. But it starts raining. Instead of taking an umbrella and walking to buy your stuff, you take a shovel, walk out in the rain and start digging an underground tunnel from your house to the grocery store. All while getting wet.

Would you do that? Ridiculous but pretty much close to what’s happening there and what Boeing does.

There is a beast of the web infrastructure that is serving Boeing’s corporate website, while they could just use a good umbrella (Varnish).
And possibly spend all that money they spend on many servers, towards paying more qualified engineers working on buggy MCAS software.

The www.boeing.com resolves to a set of IPs which are located exclusively in the US. Again, a corporation the size of Boeing unable to set up a simple CDN? It’s either huge negligence or a bad attitude, either is very wrong.

In comparison, Airbus does use a commercial Incapsula CDN, and it behaves well, as far as supporting conditional GET requests for page themselves (full page cache is there).

HTML

We surely can’t get into either website’s interpreted code to peek how well they are coded. But we can examine their HTML output.

Airbus website has large chunks of whitespace. What’s going there?

Large chunks of whitespaces in Airbus website
Large chunks of whitespaces in Airbus website’s HTML

This goes on through the entire page. It’s a waste of bytes transferred and shows that the code behind it is a mess too. Comments are not stripped.

Boeing does better with the redundant whitespaces, but it does not strip HTML comments either.

What it does have is invalid HTML:

Invalid HTML on Boeing website
Invalid HTML on Boeing website

That just gives you an idea on lack of automation and continuous integration while deploying the website – at least there are no any checks whether the deployed code will produce a valid HTML. I’m not talking about some page in the depths of the site structure. This is the homepage.

Sure enough, there’s a lot more we can dig in and results maybe furthermore unpleasant to look at. This is the tip of an iceberg, and you only start looking at it when it bothers you that you’re about to use it for flying.

All these faulty areas are very easy to be noticed and fixed by competent engineers but have been present there for years.

Even these issues will likely get fixed in the near future, especially after being brought to attention, all this clearly shows the overall tech attitude of a company. The attitude that might stay with the companies for years to come.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.