Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


grasshoper

164 posts

Master Geek


#128830 24-Aug-2013 23:21
Send private message

Maybe I'm way off here, but I went to buy something off trademe tonight and noticed the form where I enter my credit card is unsecure... as per this pic:



Does this matter?  or am I just noob

(edit due to anal english police)

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4
PeterReader
6018 posts

Uber Geek

Trusted
Geekzone
Lifetime subscriber

  #884068 24-Aug-2013 23:21
Send private message

Hmmmm. Here we go.




I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.

 

These links are referral codes: Sharesies | Mighty Ape 




NonprayingMantis
6434 posts

Uber Geek


  #884071 24-Aug-2013 23:26
Send private message

Unsecured I think is the term you are looking for.

Insecure means to be nervous, unsure, not confident etc.

1080p
1332 posts

Uber Geek
Inactive user


  #884077 25-Aug-2013 00:15
Send private message

NonprayingMantis: Unsecured I think is the term you are looking for.

Insecure means to be nervous, unsure, not confident etc.


One definition: Inadequately guarded or protected; unsafe

The words are effectively synonyms.



1080p
1332 posts

Uber Geek
Inactive user


  #884078 25-Aug-2013 00:19
Send private message

I'm not able to confirm but I imagine there is some kind of sorcery that allows them to encrypt the payment information 'box' as it were.

TradeMe would be pretty silly to not encrypt their customers' personal information.

Kyanar
4089 posts

Uber Geek

ID Verified
Trusted

  #884079 25-Aug-2013 00:19
Send private message

Most likely the form itself submits to a secure site, but Trademe decided not to bother encrypting the form where you enter the information. This is still very VERY poor practice, and they definitely need to fix it.

I would refuse to enter any details into the form and immediately contact Trademe with your concerns. They have no convenient way to do it, so I'd just submit it via their feedback form

Zeon
3916 posts

Uber Geek

Trusted

  #884088 25-Aug-2013 00:34
Send private message

If this place is anything like gpforums there will be a stuff reporter who will turn this into front page news and something will happen :)




Speedtest 2019-10-14


insane
3236 posts

Uber Geek

ID Verified
Trusted

  #884094 25-Aug-2013 01:13
Send private message

Zeon: If this place is anything like gpforums there will be a stuff reporter who will turn this into front page news and something will happen :)


Arent they both owned by the same parent co? If so that reporter might want to sign up to trademe jobs.

 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
timmmay
20574 posts

Uber Geek

Trusted
Lifetime subscriber

  #884114 25-Aug-2013 08:38
Send private message

Check if there's a secure iFrame within the page. Also check the form submit tag to see if it goes to https. I'd be very very surprised if it wasn't done technically correctly, but lack of customer confidence is significant.

Showing the billing page over http isn't really a big problem so long as the submit is https, other than lack of confidence.

freitasm
BDFL - Memuneh
79250 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #884125 25-Aug-2013 09:30
Send private message

timmmay: Showing the billing page over http isn't really a big problem so long as the submit is https, other than lack of confidence.


I will use "secure" in this context as SSL-based encrypted.

If there's no iframe then that page is insecure for reasons I will come later, regardless of the form submission going to a secure page or not.

If the billing page is inside an iframe and the billing page inside the iframe and the form submission goes to a secure page then that's ok.

If the billing page is inside an iframe and the billing page inside the iframe is not secure and the form submission goes to a secure page then it's not secure.

The reason for that is because in case the billing page is not secure the contents of this page could be easily modified by an injected script - either changing the details of where the form submission destination is, or simply copying the contents of the form when the use clicks the submission button.

This injected script could come from either a malware installed on the client's computer or a transparent proxy modifying the page - remember the proxy can see the contents of any non secure page.

So, yes, check that the billing page is secure (either if it's the original page or an iframe content) and the form submits to a secure page, otherwise it's not secure at all.

That's why I removed the login fields from all Geekzone pages and now theres' a "click to login" button that redirects to our SSL-based login page.





Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


timmmay
20574 posts

Uber Geek

Trusted
Lifetime subscriber

  #884138 25-Aug-2013 10:12
Send private message

Ah yes, xss, I haven't done much security work in a while and forgot about the whole injection thing. If there's an iFrame that's secure surely a script can't mess with the contents of the secure part?

Still I think the whole page should be on https just to give customers confidence. People are told over and over not to enter credit card details on a page unless the little lock symbol is showing.

freitasm
BDFL - Memuneh
79250 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #884144 25-Aug-2013 10:35
Send private message

timmmay: Ah yes, xss, I haven't done much security work in a while and forgot about the whole injection thing. If there's an iFrame that's secure surely a script can't mess with the contents of the secure part?


This is where I said "If the billing page is inside an iframe and the billing page inside the iframe and the form submission goes to a secure page then that's ok."

All other cases are not ok.

timmmay: Still I think the whole page should be on https just to give customers confidence. People are told over and over not to enter credit card details on a page unless the little lock symbol is showing.


It should. The whole page, the iframe (if any) and for submission. I haven't used that for ages so I won't be able to test, the OP is the one that will have to tell us (or someone else using that page about now).







Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


sleemanj
1490 posts

Uber Geek


  #884157 25-Aug-2013 11:06
Send private message

Just had a look, not ssl secured, not in an iframe, and even worse does not appear to submit to an SSL url.




---
James Sleeman
I sell lots of stuff for electronic enthusiasts...


timmmay
20574 posts

Uber Geek

Trusted
Lifetime subscriber

  #884159 25-Aug-2013 11:21
Send private message

Someone should probably point this thread out to trademe... does anyone know how to get to someone worth talking to, rather than front line customer support?

troyhunt
2 posts

Wannabe Geek

Trusted

  #884178 25-Aug-2013 12:20
Send private message

Whether or not it posts over HTTPS is inconsequential; once the form is loaded over HTTP you have no confidence whatsoever in the integrity of the page - it could be posting to an attacker's site, have a keylogger embedded or be manipulated in other ways. Here's how that works: http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

The payment card industry has pretty clear expectations on how this sort of data needs to be handled and this implementation definitely isn't up to scratch.




nickb800
2715 posts

Uber Geek

Trusted

  #884192 25-Aug-2013 12:35
Send private message

troyhunt: Whether or not it posts over HTTPS is inconsequential; once the form is loaded over HTTP you have no confidence whatsoever in the integrity of the page - it could be posting to an attacker's site, have a keylogger embedded or be manipulated in other ways. Here's how that works: http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

The payment card industry has pretty clear expectations on how this sort of data needs to be handled and this implementation definitely isn't up to scratch.


Would this argument extend to iframes - since you can't easily see that its an HTTPS connection? By easily I mean that there isn't an obvious padlock next to the URL

 1 | 2 | 3 | 4
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.