In our second episode of Tech giants using the tech wrong series, here’s a technological comparison between Boring and Airbus corporate websites with an increased accent on Boeing. Taken in the context of Boeing’s 737 MAX groundings, it might give some leads on:
- Whether you should be flying an airplane developed by a company who can’t even manage to build a website that supports modern & secure technologies
- Whether you should be buying a stock of an airline company which uses low paid workers for their IT tasks
Anyone can do the same lookups I did below. It doesn’t involve any hacking as the information about the software used / development level is obvious from the publicly accessible information. It may be not so obvious for less technical people. But I put it out in one concise page, so you get a real, not opinionated overview on which company is of a more mess. Why?
Failing to manage an IT artifact like corporate website, clearly shows overall management failure to keep all the pieces of a company together in a good shape. By looking at one area of operation, you can make conclusions on the overall health of operation for a given company.
In the overview below you can clearly see that it is highly likely that Boeing uses low paid, least technical developers and engineers for their corporate website.
The Boeing website does not enforce TLS encryption:
It also fails to load all assets using secure protocol when using it. A classic mixed TLS content issue:
While someone could argue that no classified information is to be transferred while accessing the website, this is outrageous for a company the size of Boeing and poses its own risks. For example, the ability for interested “man in the middle” players to substitute an authentic version of the website with the version of their choosing.
And it wouldn’t be hard to do so: clicking the “Read more” as seen the screenshot, leads to mediaroom website, where logo is linked back to insecure
All of us, mortal folks, setup NGINX with latest OpenSSL to make use of TLS 1.3, and some are even breaking their bones while doing it.
But not Boeing. They can’t even get the certificate installed properly!
This server’s certificate chain is incomplete.
Forget about HTTP/2 with Boeing website. It’s the year 2019 and the majority of browsers support the new faster protocol.
But who needs those pesky multiplexed connections that it provides?
It is questionable why for a largely static website, Boeing is using heavy Java-based software and load balancer.
In fact, the search is the only apparent dynamic function on the site.
The software, as well it’s version are well advertised using HTTP headers:
Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=AC62E5442BE9E6B90D4C11BF42CF3ED6; Path=/
Apparently, Boeing does very little to cache things on a highly static Java-based website, so they need a load balancer:
$ host www.boeing.com www.boeing.com is an alias for www.lb.boeing.com. www.lb.boeing.com has address 220.127.116.11 www.lb.boeing.com has address 18.104.22.168 www.lb.boeing.com has address 22.214.171.124
I could see why they might need it – search. However, checking the homepage with two consequitve requests indicates no full page caching is done on the server side:
Set-Cookie: JSESSIONID=01E75A221FE0A03DD0246EA0924316BF; Path=/ Set-Cookie: JSESSIONID=B0D2DB7C9577C6D52A148B253953875D; Path=/
As you see, it starts a new session every time, so Java is invoked upon each request. The conclusion is that much of the load balancing stuff is a mere attempt to compensate for the lack of something as trivial as full page cache.
How it looks like in a simple analogy: you need to go to the grocery to buy some food, because the fridge is empty. But it starts raining. Instead of taking an umbrella and walking to buy your stuff, you take a shovel, walk out in the rain and start digging an underground tunnel from your house to the grocery store. All while getting wet.
Would you do that? Ridiculous but pretty much close to what’s happening there and what Boeing does.
There is a beast of the web infrastructure that is serving Boeing’s corporate website, while they could just use a good umbrella (Varnish).
And possibly spend all that money they spend on many servers, towards paying more qualified engineers working on buggy MCAS software.
www.boeing.com resolves to a set of IPs which are located exclusively in the US. Again, a corporation the size of Boeing unable to set up a simple CDN? It’s either huge negligence or a bad attitude, either is very wrong.
In comparison, Airbus does use a commercial Incapsula CDN, and it behaves well, as far as supporting conditional GET requests for page themselves (full page cache is there).
We surely can’t get into either website’s interpreted code to peek how well they are coded. But we can examine their HTML output.
Airbus website has large chunks of whitespace. What’s going there?
This goes on through the entire page. It’s a waste of bytes transferred and shows that the code behind it is a mess too. Comments are not stripped.
Boeing does better with the redundant whitespaces, but it does not strip HTML comments either.
What it does have is invalid HTML:
That just gives you an idea on lack of automation and continuous integration while deploying the website – at least there are no any checks whether the deployed code will produce a valid HTML. I’m not talking about some page in the depths of the site structure. This is the homepage.
Sure enough, there’s a lot more we can dig in and results maybe furthermore unpleasant to look at. This is the tip of an iceberg, and you only start looking at it when it bothers you that you’re about to use it for flying.
All these faulty areas are very easy to be noticed and fixed by competent engineers but have been present there for years.
Even these issues will likely get fixed in the near future, especially after being brought to attention, all this clearly shows the overall tech attitude of a company. The attitude that might stay with the companies for years to come.