LoneStar Overnight’s broken web page

I told them I’d give them 24 hours to respond. I actually gave them over a month. The only response was the automated “We’ve received your tech support email.” They have, to date, done jack all to fix any of the problems I alerted them to. So I’m going public.

To whom it may concern,

There are serious issues with the security of your public web site.

A search on Google and Duck-Duck-Go for “Lonestar Overnight” or “Lone Star Overnight” results in a list of links, the first of which points to www.lso.com. The rest point to various pages below www.lonestarovernight.com, all of which appear to be on the same server. However the GoDaddy-signed SSL / TLS certificate installed on that server contains only the name “*.lso.com” and the SANs (“Subject Alternative Names”) “*.lso.com” and “lso.com”. There is no SAN for any lonestarovernight.com hostname.

A potential customer or user clicking on any of the www.lonestarovernight.com links would receive a message from their browser that the certificate does not match the hostname. This can cost you business, as customers look elsewhere, to a competitor whose web server is perceived to be “trustable”.

You’ve already lost business from anyone looking for “lonestarovernight.com”. BTW, your web page does not contain the words “Lone Star Overnight” anywhere. Obviously, Like IBM, SGI, AT&T and other companies of decades past, you have pivoted to branding yourselves as “LSO”. You might communicate this to Amazon, in order to properly identify your service when they select you to perform delivery of their packages. At this time Amazon states that the courier is “Lone Star Overnight”.

The last is purely a marketing glitch, however, there are far more serious problems with your web site’s security.

You are using very weak, obsolete, encryption. This makes your customers vulnerable to man in the middle attacks.
You are still using 512-bit “export” grade encryption, and potentially vulnerable to the FREAK attack.
You ARE vulnerable to the POODLE attack.
You are still using SSL version 3.0, TLSv1.0 and TLSv1.1. All of which are considered obsolete.
You do NOT support the current TLSv1.2 standard.
You are using older, vulnerable versions of the RC4 protocols.
You do not support secure renegotiation.
You do not support Forward Secrecy

I am a highly skilled Unix Systems Administrator for a Fortune 500 company. These are BASIC items. I identified most of them using the well regarded, and free, SSL security scanning tool from Qualys Labs (qualys.com) to review your site, the results of which can be viewed here and here. To be clear: this is NOT an attempt to extort money from you or solicit my skills to you. IT Security is a highly specialized area of IT administration and I do not posses the knowledge, skills or interest, to do it justice. I am contacting you as a concerned “customer”, who regularly receives Amazon deliveries facilitated by your service. If you don’t have an IT Security expert on your staff, I would highly recommend you get in touch with an IT security consultant who can assist you with auditing your systems security and developing a remediation plan.

If there is no response to this message within 24 hours, I will post it publicly on a number of social media sites, to warn other potential customers that they should not use your web site.

Also, the tracking number for my recent “same day delivery” given by Amazon does not work on your site. It doesn’t even give an error that it could not be found. It simply reloads the page. Someone should probably look into that glitch on your site as well. I’m probably not the only Amazon customer awaiting a delivery who is trying to track their package.

For the record, it appears they fixed the tracking number glitch. At least as of today I am able to get the status of the package I’m waiting for. While typing this, I heard a car door outside and my delivery was on my doorstep when I checked.