Trade Me unsecure?

Forums › Off topic › Trade Me unsecure?

1 | 2 | 3 | 4

2 posts

Wannabe Geek

Trusted

#884199 25-Aug-2013 12:39

nickb800:Would this argument extend to iframes - since you can't easily see that its an HTTPS connection? By easily I mean that there isn't an obvious padlock next to the URL

Yep, it's exactly the same deal because you can't have confidence in the integrity of the iframe once it's been embedded in an HTTP page - how do you know it's a secure page in there and not an attacker's? Here's a demo of that too: http://www.troyhunt.com/2013/06/the-security-futility-that-is-embedding.html

troyhunt.com

richms

28178 posts

Uber Geek

Trusted

Lifetime subscriber

#884205 25-Aug-2013 13:52

nickb800:

Would this argument extend to iframes - since you can't easily see that its an HTTPS connection? By easily I mean that there isn't an obvious padlock next to the URL

Yeah it would, it totally negates the whole point of a SSL cert when you dont get the padlock and cert information in the address bar. You cant really expect users to go digging into code and hoping that the iframe they find is actually the one that is onscreen before entering their details.

Richard rich.ms

grasshoper

164 posts

Master Geek

#884251 25-Aug-2013 17:24

heres the link - http://secure.trademe.co.nz/Payments/secure/buynowinstant.aspx?buyNowFormAuctionId=629283000&buyNowQuantity=1

Probably need to be logged in to see it.

I don't understand enough about scripting to know if any of it is secure, but based on the comments, i'm reluctant to make the purchase now...

richms

28178 posts

Uber Geek

Trusted

Lifetime subscriber

#884256 25-Aug-2013 17:37

Everytime I have bought on there, it has forwarded me to secure.trademe.co.nz over https, not http.

The page loads when changed to https, but having it serve unencrypted content from a host called "secure" seems a little absurd to me.

Richard rich.ms

kiwirock

685 posts

Ultimate Geek

#884283 25-Aug-2013 19:12

insane:
Zeon: If this place is anything like gpforums there will be a stuff reporter who will turn this into front page news and something will happen :)

Arent they both owned by the same parent co? If so that reporter might want to sign up to trademe jobs.

As far as I'm aware, Fairfax sold Trade Me after a while.

A friend who's a chief reporter at one of their papers said they don't own Trade Me now too.

I remember in the Trade me early years, and emailing Trade Me about HTTPS/SSL because for a while, they didn't secure the log in either. I refused to use it until it bounced to a secure site on log in then back again.

sonyxperiageek

2959 posts

Uber Geek

Trusted

#884299 25-Aug-2013 20:01

Maybe their SSL certificate expired and they haven't managed to renew it yet? But still that shouldn't be an excuse because it should auto-renew?

Sony

richms

28178 posts

Uber Geek

Trusted

Lifetime subscriber

#884321 25-Aug-2013 20:30

Its not generating any errors when swapping to https so I dont think that's the reason, just poor security implimentation

Richard rich.ms

Sharesies kids

Free kids accounts - trade shares and funds (NZ, US) with Sharesies (affiliate link).

PaulBags

809 posts

Ultimate Geek
Inactive user

#884330 25-Aug-2013 21:10

If I try anything https://trademe.co.nz/ it just redirects to unencrypted. Login page and all.

Someone should set up an NZ branch of eBay...

mattwnz

20157 posts

Uber Geek

#884336 25-Aug-2013 21:18

sonyxperiageek: Maybe their SSL certificate expired and they haven't managed to renew it yet? But still that shouldn't be an excuse because it should auto-renew?

I don't believe SSL certificates can be renewed, nor auto renew. Once they expire, you have to buy a new one and install that on the server.

sonyxperiageek

2959 posts

Uber Geek

Trusted

#884347 25-Aug-2013 21:43

Oh, ok.

Sony

kyhwana2

2566 posts

Uber Geek

#884389 25-Aug-2013 23:44

freitasm:
timmmay: Ah yes, xss, I haven't done much security work in a while and forgot about the whole injection thing. If there's an iFrame that's secure surely a script can't mess with the contents of the secure part?

This is where I said "If the billing page is inside an iframe and the billing page inside the iframe and the form submission goes to a secure page then that's ok."

All other cases are not ok.

This is still not OK. If you can MITM that connection, and the main page isn't over https, you can simply rewrite the URL for that iframe when your victim is fetching the main page. (And then redirect it to your own page that looks exactly like the iframe, save the data and then either show an error message or silently redirect the data they entered to the proper page)

See http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

1080p

1332 posts

Uber Geek
Inactive user

#884390 25-Aug-2013 23:48

PaulBags: If I try anything https://trademe.co.nz/ it just redirects to unencrypted. Login page and all.

Someone should set up an NZ branch of eBay...

Actually, that is something I haven't paid attention to before. I always simply autofill the log in information and click log in on the main page. Is that little box that pops up encrypted at all?

I find it most disconcerting that this can be done The Right Way™ very easily but is instead made incredibly complex, not to mention confusing to non-tech folk for some odd reason by TradeMe.