Since 2010

NAB login

Here’s the personal banking login page for NAB, one of the major banks in Australia:


Simple: a bit of branding, username and password fields, plus some decoration. It’s not a single-page webapp or anything, just a bog standard HTML form that results in a regular POST.

But man is it a trainwreck behind the scenes:


  • Hitting “Login” on NAB’s homepage opens the login page in a new, full screen, toolbar-less page. Try it on a 27-inch monitor…
  • Transfers over 1.3MB, including 10 individual CSS responses and 41 JavaScript responses (accounting for 1MB of the bandwidth). Forty one! For a dumb login page!
  • Sets a kick-in-the-pants away from 100 individual cookies

Oh, and they ask permission to track your physical location. I didn’t bother to find out whether NAB were asking or one of the dozens of other domains involved.

How does this happen? And how does it not get fixed? It’s been like this for years. I’d be ashamed of delivering something like this to customers, not because it really matters, but because of the negative message it sends about the level of care NAB puts into it’s customer-facing products.

Trained barista's


Spotted on the back of a Husdons Coffee takeway cup:

Your choice of blend is hand crafted in your cup by our trained barista’s putting ‘a little love in every drop’.

That apostrophe in “barista’s” is wrong, right? I’m 98% sure it shouldn’t be there. It fails all the usual rules - no letters are omitted and nobody owns the “putting”. That 2% is because I can’t believe that none of the dozens of people involved in conceiving, designing, approving, manufacturing, and distributing this for a national coffee chain didn’t pick up on it.


Jerry Hildenbrand at iMore:

Some companies who make routers are much like some companies who make Android phones: any desire to support the product stops when your money reaches their bank.


I’ve just setup HTTPS and HTTP/2 for, thanks to Let’s Encrypt. Apart from the familiar padlock somewhere in your browser’s interface, nobody should notice any difference - any requests for and should be redirected to

I’ve been using Let’s Encrypt on some of my less-public servers pretty much since day 1 of their beta program, and it’s a game-changing service. Their toolchain is top-notch as well, and strikes a great balance between preserving existing configuration, and making it easy to see what is modified.

They’ve got some good stuff in the pipeline as well - wildcard certificates will be an awesome addition.