Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


149 posts

Master Geek
+1 received by user: 2


Topic # 128830 24-Aug-2013 23:21
Send private message

Maybe I'm way off here, but I went to buy something off trademe tonight and noticed the form where I enter my credit card is unsecure... as per this pic:



Does this matter?  or am I just noob

(edit due to anal english police)

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4
5564 posts

Uber Geek
+1 received by user: 251

Trusted
Geekzone
Lifetime subscriber

  Reply # 884068 24-Aug-2013 23:21
Send private message

Hmmmm. Here we go.




I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.



6434 posts

Uber Geek
+1 received by user: 1571


  Reply # 884071 24-Aug-2013 23:26
Send private message

Unsecured I think is the term you are looking for.

Insecure means to be nervous, unsure, not confident etc.

1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 884077 25-Aug-2013 00:15
Send private message

NonprayingMantis: Unsecured I think is the term you are looking for.

Insecure means to be nervous, unsure, not confident etc.


One definition: Inadequately guarded or protected; unsafe

The words are effectively synonyms.

1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 884078 25-Aug-2013 00:19
Send private message

I'm not able to confirm but I imagine there is some kind of sorcery that allows them to encrypt the payment information 'box' as it were.

TradeMe would be pretty silly to not encrypt their customers' personal information.

3040 posts

Uber Geek
+1 received by user: 466

Trusted
Subscriber

  Reply # 884079 25-Aug-2013 00:19
2 people support this post
Send private message

Most likely the form itself submits to a secure site, but Trademe decided not to bother encrypting the form where you enter the information. This is still very VERY poor practice, and they definitely need to fix it.

I would refuse to enter any details into the form and immediately contact Trademe with your concerns. They have no convenient way to do it, so I'd just submit it via their feedback form

3415 posts

Uber Geek
+1 received by user: 405

Trusted

  Reply # 884088 25-Aug-2013 00:34
One person supports this post
Send private message

If this place is anything like gpforums there will be a stuff reporter who will turn this into front page news and something will happen :)





2282 posts

Uber Geek
+1 received by user: 370

Trusted
Subscriber

  Reply # 884094 25-Aug-2013 01:13
Send private message

Zeon: If this place is anything like gpforums there will be a stuff reporter who will turn this into front page news and something will happen :)


Arent they both owned by the same parent co? If so that reporter might want to sign up to trademe jobs.

14217 posts

Uber Geek
+1 received by user: 2572

Trusted
Subscriber

  Reply # 884114 25-Aug-2013 08:38
Send private message

Check if there's a secure iFrame within the page. Also check the form submit tag to see if it goes to https. I'd be very very surprised if it wasn't done technically correctly, but lack of customer confidence is significant.

Showing the billing page over http isn't really a big problem so long as the submit is https, other than lack of confidence.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


BDFL - Memuneh
61508 posts

Uber Geek
+1 received by user: 12232

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 884125 25-Aug-2013 09:30
2 people support this post
Send private message

timmmay: Showing the billing page over http isn't really a big problem so long as the submit is https, other than lack of confidence.


I will use "secure" in this context as SSL-based encrypted.

If there's no iframe then that page is insecure for reasons I will come later, regardless of the form submission going to a secure page or not.

If the billing page is inside an iframe and the billing page inside the iframe and the form submission goes to a secure page then that's ok.

If the billing page is inside an iframe and the billing page inside the iframe is not secure and the form submission goes to a secure page then it's not secure.

The reason for that is because in case the billing page is not secure the contents of this page could be easily modified by an injected script - either changing the details of where the form submission destination is, or simply copying the contents of the form when the use clicks the submission button.

This injected script could come from either a malware installed on the client's computer or a transparent proxy modifying the page - remember the proxy can see the contents of any non secure page.

So, yes, check that the billing page is secure (either if it's the original page or an iframe content) and the form submits to a secure page, otherwise it's not secure at all.

That's why I removed the login fields from all Geekzone pages and now theres' a "click to login" button that redirects to our SSL-based login page.





14217 posts

Uber Geek
+1 received by user: 2572

Trusted
Subscriber

  Reply # 884138 25-Aug-2013 10:12
Send private message

Ah yes, xss, I haven't done much security work in a while and forgot about the whole injection thing. If there's an iFrame that's secure surely a script can't mess with the contents of the secure part?

Still I think the whole page should be on https just to give customers confidence. People are told over and over not to enter credit card details on a page unless the little lock symbol is showing.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


BDFL - Memuneh
61508 posts

Uber Geek
+1 received by user: 12232

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 884144 25-Aug-2013 10:35
Send private message

timmmay: Ah yes, xss, I haven't done much security work in a while and forgot about the whole injection thing. If there's an iFrame that's secure surely a script can't mess with the contents of the secure part?


This is where I said "If the billing page is inside an iframe and the billing page inside the iframe and the form submission goes to a secure page then that's ok."

All other cases are not ok.

timmmay: Still I think the whole page should be on https just to give customers confidence. People are told over and over not to enter credit card details on a page unless the little lock symbol is showing.


It should. The whole page, the iframe (if any) and for submission. I haven't used that for ages so I won't be able to test, the OP is the one that will have to tell us (or someone else using that page about now).







1255 posts

Uber Geek
+1 received by user: 161


  Reply # 884157 25-Aug-2013 11:06
Send private message

Just had a look, not ssl secured, not in an iframe, and even worse does not appear to submit to an SSL url.




---
James Sleeman
I sell lots of stuff for electronic enthusiasts...


14217 posts

Uber Geek
+1 received by user: 2572

Trusted
Subscriber

  Reply # 884159 25-Aug-2013 11:21
Send private message

Someone should probably point this thread out to trademe... does anyone know how to get to someone worth talking to, rather than front line customer support?




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


2 posts

Wannabe Geek
+1 received by user: 3

Trusted

  Reply # 884178 25-Aug-2013 12:20
3 people support this post
Send private message

Whether or not it posts over HTTPS is inconsequential; once the form is loaded over HTTP you have no confidence whatsoever in the integrity of the page - it could be posting to an attacker's site, have a keylogger embedded or be manipulated in other ways. Here's how that works: http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

The payment card industry has pretty clear expectations on how this sort of data needs to be handled and this implementation definitely isn't up to scratch.




2050 posts

Uber Geek
+1 received by user: 350

Trusted

  Reply # 884192 25-Aug-2013 12:35
Send private message

troyhunt: Whether or not it posts over HTTPS is inconsequential; once the form is loaded over HTTP you have no confidence whatsoever in the integrity of the page - it could be posting to an attacker's site, have a keylogger embedded or be manipulated in other ways. Here's how that works: http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

The payment card industry has pretty clear expectations on how this sort of data needs to be handled and this implementation definitely isn't up to scratch.


Would this argument extend to iframes - since you can't easily see that its an HTTPS connection? By easily I mean that there isn't an obvious padlock next to the URL

 1 | 2 | 3 | 4
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.