Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
2 posts

Wannabe Geek
+1 received by user: 3

Trusted

  Reply # 884199 25-Aug-2013 12:39
Send private message

nickb800:Would this argument extend to iframes - since you can't easily see that its an HTTPS connection? By easily I mean that there isn't an obvious padlock next to the URL


Yep, it's exactly the same deal because you can't have confidence in the integrity of the iframe once it's been embedded in an HTTP page - how do you know it's a secure page in there and not an attacker's? Here's a demo of that too: http://www.troyhunt.com/2013/06/the-security-futility-that-is-embedding.html




21542 posts

Uber Geek
+1 received by user: 4390

Trusted
Subscriber

  Reply # 884205 25-Aug-2013 13:52
Send private message

nickb800:

Would this argument extend to iframes - since you can't easily see that its an HTTPS connection? By easily I mean that there isn't an obvious padlock next to the URL


Yeah it would, it totally negates the whole point of a SSL cert when you dont get the padlock and cert information in the address bar. You cant really expect users to go digging into code and hoping that the iframe they find is actually the one that is onscreen before entering their details.




Richard rich.ms



149 posts

Master Geek
+1 received by user: 2


  Reply # 884251 25-Aug-2013 17:24
Send private message

heres the link - http://secure.trademe.co.nz/Payments/secure/buynowinstant.aspx?buyNowFormAuctionId=629283000&buyNowQuantity=1

Probably need to be logged in to see it.

I don't understand enough about scripting to know if any of it is secure, but based on the comments, i'm reluctant to make the purchase now...

21542 posts

Uber Geek
+1 received by user: 4390

Trusted
Subscriber

  Reply # 884256 25-Aug-2013 17:37
Send private message

Everytime I have bought on there, it has forwarded me to secure.trademe.co.nz over https, not http.

The page loads when changed to https, but having it serve unencrypted content from a host called "secure" seems a little absurd to me.





Richard rich.ms

624 posts

Ultimate Geek
+1 received by user: 124


  Reply # 884283 25-Aug-2013 19:12
Send private message

insane:
Zeon: If this place is anything like gpforums there will be a stuff reporter who will turn this into front page news and something will happen :)


Arent they both owned by the same parent co? If so that reporter might want to sign up to trademe jobs.


As far as I'm aware, Fairfax sold Trade Me after a while.

A friend who's a chief reporter at one of their papers said they don't own Trade Me now too.

I remember in the Trade me early years, and emailing Trade Me about HTTPS/SSL because for a while, they didn't secure the log in either. I refused to use it until it bounced to a secure site on log in then back again.

2537 posts

Uber Geek
+1 received by user: 301

Trusted

  Reply # 884299 25-Aug-2013 20:01
Send private message

Maybe their SSL certificate expired and they haven't managed to renew it yet? But still that shouldn't be an excuse because it should auto-renew?




21542 posts

Uber Geek
+1 received by user: 4390

Trusted
Subscriber

  Reply # 884321 25-Aug-2013 20:30
Send private message

Its not generating any errors when swapping to https so I dont think that's the reason, just poor security implimentation




Richard rich.ms

810 posts

Ultimate Geek
+1 received by user: 191
Inactive user


  Reply # 884330 25-Aug-2013 21:10
Send private message

If I try anything https://trademe.co.nz/ it just redirects to unencrypted. Login page and all.

Someone should set up an NZ branch of eBay...

14416 posts

Uber Geek
+1 received by user: 1886


  Reply # 884336 25-Aug-2013 21:18
Send private message

sonyxperiageek: Maybe their SSL certificate expired and they haven't managed to renew it yet? But still that shouldn't be an excuse because it should auto-renew?


I don't believe SSL certificates can be renewed, nor auto renew. Once they expire, you have to buy a new one and install that on the server.

2537 posts

Uber Geek
+1 received by user: 301

Trusted

  Reply # 884347 25-Aug-2013 21:43
Send private message
2445 posts

Uber Geek
+1 received by user: 146


  Reply # 884389 25-Aug-2013 23:44
Send private message

freitasm:
timmmay: Ah yes, xss, I haven't done much security work in a while and forgot about the whole injection thing. If there's an iFrame that's secure surely a script can't mess with the contents of the secure part?


This is where I said "If the billing page is inside an iframe and the billing page inside the iframe and the form submission goes to a secure page then that's ok."

All other cases are not ok.


This is still not OK. If you can MITM that connection, and the main page isn't over https, you can simply rewrite the URL for that iframe when your victim is fetching the main page. (And then redirect it to your own page that looks exactly like the iframe, save the data and then either show an error message or silently redirect the data they entered to the proper page)

See http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html

1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 884390 25-Aug-2013 23:48
Send private message

PaulBags: If I try anything https://trademe.co.nz/ it just redirects to unencrypted. Login page and all.

Someone should set up an NZ branch of eBay...


Actually, that is something I haven't paid attention to before. I always simply autofill the log in information and click log in on the main page. Is that little box that pops up encrypted at all?

I find it most disconcerting that this can be done The Right Way™ very easily but is instead made incredibly complex, not to mention confusing to non-tech folk for some odd reason by TradeMe.

2 posts

Wannabe Geek


  Reply # 884520 26-Aug-2013 10:31
Send private message

Seems to be fixed now, unless crediting your account is different to the Buy now process... Both are on secure.trademe.co.nz


2054 posts

Uber Geek
+1 received by user: 357

Trusted

  Reply # 884542 26-Aug-2013 10:57
Send private message

scowie: Seems to be fixed now, unless crediting your account is different to the Buy now process... Both are on secure.trademe.co.nz


Nope, it's a different page, you can try it here

BDFL - Memuneh
61515 posts

Uber Geek
+1 received by user: 12236

Administrator
Trusted
Geekzone
Lifetime subscriber

1 | 2 | 3 | 4
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.