Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
BDFL - Memuneh
60033 posts

Uber Geek
+1 received by user: 11121

Administrator
Trusted
Geekzone
Lifetime subscriber

Reply # 51260 6-Nov-2006 15:55
Send private message

Some fact checking please...

I contact Telecom New Zealand about this and got this reply:

The Telecom wireless hotspot log-in page is itself not secure, but as soon as someone enters  details and presses submit it is sent over a secure connection using SSL.

The SSL connection is really the primary precaution we take to protect the customer from things such as phishing scams.

SSL certificates are required to establish an SSL connection. These certificates are issued by Certificate Authorities or CAs, The CA, such as the well know VeriSign authority we use, take a lot of precautions to insure they only issue certificates to reputable organisations. So basically if the web site the user name and password are being submitted to (over a secure connection) has a valid certificate the user can be assured that the web site is the domain it claims to be and not some sort of  phishing scam site.


Telecom follows the same format for its  wireless hotspots as other international providers and is unaware of any such security issues to date.



I thought it was strange, so I walked to the usual Johnsonville Mall with baby and tried logging into the TNZ Hotspot service here. Although the login page itself is not encrypted, the POST page is:

[FORM name="WifiLoginForm" method="POST" action="https://auth.telecom.co.nz/live/wifi/wifilogin/WiFiLogin" onsubmit="return validate()"]

So, I think this settles the question of your login credentials being secure or not when you submit the data from a valid page. It is secure.

Still there's the problem of someone setting up a rogue Telecom New Zealand Hotspot just to collect credentials. This should be easily prevented if an encrypted page options was available.









291 posts

Ultimate Geek
+1 received by user: 5

Trusted

  Reply # 51285 6-Nov-2006 17:17
Send private message

freitasm: ...
All this for the peace of mind of knowing that people using their Xtra login on a Telecom Hotspot wouldn't have to worry about someone reading their e-mails ...


For pop3 access Xtra do have the extra-cost "Secure Remote E-mail" (SSL) service. 

 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software
BDFL - Memuneh
60033 posts

Uber Geek
+1 received by user: 11121

Administrator
Trusted
Geekzone
Lifetime subscriber

Reply # 51295 6-Nov-2006 17:51
Send private message
20905 posts

Uber Geek
+1 received by user: 4103

Trusted
Subscriber

  Reply # 51388 7-Nov-2006 01:34
Send private message

freitasm:So, I think this settles the question of your login credentials being secure or not when you submit the data from a valid page. It is secure.


Still there's the problem of someone setting up a rogue Telecom New Zealand Hotspot just to collect credentials. This should be easily prevented if an encrypted page options was available.



Which is the much more likly scenario then someone simply sniffing the login page.


It is bad practise to have a form on an insecure page, because unless the person looks at the page source every time for where the form is submitting to, and for rogue javascripts that are going to change it, then they have no way to know that the login will be secure. People have been told so often to look for a padlock etc that sites actually put images of them on pages so that people feel trust. I remember an experiment some time ago which ended up that people trust a padlock on the page more then they do one in the browers toolbar which was the reason firefox went to making the whole addressbar yellow. an http page being delivered for logging in doesnt inspire that trust, and rightly so.

http://www.hackaday.com/2006/10/30/dan-kaminskys-ssl-hell/ has a geeky guy talking about it at a security conference.

[Moderator edit (bradstewart): Hyperlinked]




Richard rich.ms

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

TCF and Telcos Toughen Up on Scam Callers
Posted 23-Apr-2018 09:39


Amazon launches the International Shopping Experience in the Amazon Shopping App
Posted 19-Apr-2018 08:38


Spark New Zealand and TVNZ to bring coverage of Rugby World Cup 2019
Posted 16-Apr-2018 06:55


How Google can seize Microsoft Office crown
Posted 14-Apr-2018 11:08


How back office transformation drives IRD efficiency
Posted 12-Apr-2018 21:15


iPod laws in a smartphone world: will we ever get copyright right?
Posted 12-Apr-2018 21:13


Lightbox service using big data and analytics to learn more about customers
Posted 9-Apr-2018 12:11


111 mobile caller location extended to iOS
Posted 6-Apr-2018 13:50


Huawei announces the HUAWEI P20 series
Posted 29-Mar-2018 11:41


Symantec Internet Security Threat Report shows increased endpoint technology risks
Posted 26-Mar-2018 18:29


Spark switches on long-range IoT network across New Zealand
Posted 26-Mar-2018 18:22


Stuff Pix enters streaming video market
Posted 21-Mar-2018 09:18


Windows no longer Microsoft’s main focus
Posted 13-Mar-2018 07:47


Why phone makers are obsessed with cameras
Posted 11-Mar-2018 12:25


New Zealand Adopts International Open Data Charter
Posted 3-Mar-2018 12:48



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.