Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


1985 posts

Uber Geek
+1 received by user: 19

Trusted
Subscriber

Topic # 148815 1-Jul-2014 16:47
Send private message

Air NZ site (similar to the trade me thread) is unencrypted, so this I have stopped using. Challenge now is, I'm on hold on the phone line, is it just me or is IT going backwards?

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
5481 posts

Uber Geek
+1 received by user: 240

Trusted
Geekzone
Lifetime subscriber

  Reply # 1078061 1-Jul-2014 16:47
Send private message

Hmmmm. Here we go.




I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.



gzt

9741 posts

Uber Geek
+1 received by user: 1452


  Reply # 1078078 1-Jul-2014 17:09
Send private message

Credit card payments are not encrypted?

976 posts

Ultimate Geek
+1 received by user: 148

UberGroup

  Reply # 1078082 1-Jul-2014 17:14
Send private message



Looks fine here




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

1460 posts

Uber Geek
+1 received by user: 460

Trusted

  Reply # 1078085 1-Jul-2014 17:18
Send private message

all of the important bits are encrypted, what is the point of this thread?






1985 posts

Uber Geek
+1 received by user: 19

Trusted
Subscriber

  Reply # 1078090 1-Jul-2014 17:20
Send private message

OneSmart, debit card so one is even more apprehensive than normal because once your hit you're screwed because they simply don't care.




1985 posts

Uber Geek
+1 received by user: 19

Trusted
Subscriber

  Reply # 1078091 1-Jul-2014 17:22
Send private message

l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.



1985 posts

Uber Geek
+1 received by user: 19

Trusted
Subscriber

  Reply # 1078102 1-Jul-2014 17:28
Send private message

Should have been a question rather than a grumble. You can get an encrypted page for OneSmart here https://www.onesmart.co.nz/ (not the site on the activation sticker on your card).

2265 posts

Uber Geek
+1 received by user: 360

Trusted
Subscriber

  Reply # 1078110 1-Jul-2014 17:42
Send private message

So really they just need to setup a http to https redirect on their load balancers

gzt

9741 posts

Uber Geek
+1 received by user: 1452


  Reply # 1078116 1-Jul-2014 17:52
Send private message

lyonrouge:
l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

A padlock is reassuring, I agree.

But I know of no reason an https page cannot submit your credentials to an unencrypted http address. Iirc some security solutions might detect and prevent this, and some browsers will kind of warn.

The padlock tells you that (at least some of: ) the information you are viewing was sent via https. I don't think it says much about how information you may submit could be sent. This part is still essentially trust I think.

Edit: I hasten to add - in the specific airnz case that airpoints user/pass looks to be https submitted = secure.

3137 posts

Uber Geek
+1 received by user: 877

Trusted

  Reply # 1078120 1-Jul-2014 17:56
One person supports this post
Send private message

I think this thread is fair enough TBH.  Going to https://www.airnewzealand.co.nz/onesmart actually redirects you from https TO http :?   so the sign in then looks like the following. It does ultimately POST over https but still seems like pretty poor form from the point of view of educating users...




1985 posts

Uber Geek
+1 received by user: 19

Trusted
Subscriber

  Reply # 1078127 1-Jul-2014 18:10
Send private message

gzt:
lyonrouge:
l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

A padlock is reassuring, I agree.

But I know of no reason an https page cannot submit your credentials to an unencrypted http address. Iirc some security solutions might detect and prevent this, and some browsers will kind of warn.

The padlock tells you that (at least some of: ) the information you are viewing was sent via https. I don't think it says much about how information you may submit could be sent. This part is still essentially trust I think.

Edit: I hasten to add - in the specific airnz case that airpoints user/pass looks to be https submitted = secure.


I was unaware that parts of a HTTPS page could be unencrypted. I was aware that HTTP could trigger encrypted iframes but I was not ware of the reverse, thanks for letting me know.

Meow
7375 posts

Uber Geek
+1 received by user: 3542

Moderator
Trusted
Lifetime subscriber

  Reply # 1078138 1-Jul-2014 18:41
Send private message

In terms of bad things happening for using this site, you have more of a chance of getting hax0red for your use of Internet Explorer.




21023 posts

Uber Geek
+1 received by user: 4156

Trusted
Subscriber

  Reply # 1078155 1-Jul-2014 18:56
Send private message

lyonrouge:
I was unaware that parts of a HTTPS page could be unencrypted. I was aware that HTTP could trigger encrypted iframes but I was not ware of the reverse, thanks for letting me know.


Yes, but that can be replaced with any form by a MITM attack, and it makes paying for a fancy cert with the green thing at the top pointless as people cant see it when entering their details.




Richard rich.ms

gzt

9741 posts

Uber Geek
+1 received by user: 1452


  Reply # 1078157 1-Jul-2014 19:03
One person supports this post
Send private message

lyonrouge:
gzt:
lyonrouge:
l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

A padlock is reassuring, I agree.

But I know of no reason an https page cannot submit your credentials to an unencrypted http address. Iirc some security solutions might detect and prevent this, and some browsers will kind of warn.

The padlock tells you that (at least some of: ) the information you are viewing was sent via https. I don't think it says much about how information you may submit could be sent. This part is still essentially trust I think.

Edit: I hasten to add - in the specific airnz case that airpoints user/pass looks to be https submitted = secure.


I was unaware that parts of a HTTPS page could be unencrypted. I was aware that HTTP could trigger encrypted iframes but I was not ware of the reverse, thanks for letting me know.


Summary. If a page is https secured (padlock) then any browser should warn if you attempt to submit a username/password via insecure http. I believe all major browsers will warn.

If the page is http (no padlock) then the browser cannot know that you expected a secure submission and therefore cannot warn. In that scenario a user has no protection from a 'potential' insecure submission. Ie; In an entirely hypothetical (and unbelievable) case where the AirNZ webdevs left the 's' off the https for that form.

I also believe most major browsers will warn if a page contains mixed content.

Browser developers have been slowly tightening policies on this kind of stuff over many years dragging the web along behind them. At one time browser users could choose to suppress warnings but I'm unsure if this is still the case.

I googled around for a browser test page but nothing obvious appeared.

gzt

9741 posts

Uber Geek
+1 received by user: 1452


  Reply # 1078173 1-Jul-2014 19:25
Send private message

Found some test pages for the mixed content side of things. It is still very much a current issue. Here's a current article explaining the issues.

Test page: https://www.ssllabs.com/ssltest/viewMyClient.html

The test page did not trigger a mixed content browser warning on my Chrome(OSX).

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41


Exhibition to showcase digital artwork from across the globe
Posted 23-May-2018 16:44


Auckland tops list of most vulnerable cities in a zombie apocalypse
Posted 23-May-2018 12:52


ASB first bank in New Zealand to step out with Garmin Pay
Posted 23-May-2018 00:10


Umbrellar becomes Microsoft Cloud Solution Provider
Posted 22-May-2018 15:43


Three New Zealand projects shortlisted in IDC Asia Pacific Smart Cities Awards
Posted 22-May-2018 15:14


UpStarters - the New Zealand tech and innovation story
Posted 21-May-2018 09:55


Lightbox updates platform with new streaming options
Posted 17-May-2018 13:09


Norton Core router launches with high-performance, IoT security in New Zealand
Posted 16-May-2018 02:00


D-Link ANZ launches new 4G LTE Dual SIM M2M VPN Router
Posted 15-May-2018 19:30


New Panasonic LUMIX FT7 ideal for outdoor: waterproof, dustproof
Posted 15-May-2018 19:17


Ryanair Goes All-In on AWS
Posted 15-May-2018 19:14


Te Papa and EQC Minecraft Mod shakes up earthquake education
Posted 15-May-2018 19:12



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.