Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1982 posts

Uber Geek
+1 received by user: 19

Trusted
Subscriber

Topic # 148815 1-Jul-2014 16:47
Send private message

Air NZ site (similar to the trade me thread) is unencrypted, so this I have stopped using. Challenge now is, I'm on hold on the phone line, is it just me or is IT going backwards?

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
5395 posts

Uber Geek
+1 received by user: 229

Trusted
Geekzone
Subscriber

  Reply # 1078061 1-Jul-2014 16:47
Send private message

Hmmmm. Here we go.




I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.



gzt

9161 posts

Uber Geek
+1 received by user: 1291


  Reply # 1078078 1-Jul-2014 17:09
Send private message

Credit card payments are not encrypted?

 
 
 
 


956 posts

Ultimate Geek
+1 received by user: 138

UberGroup

  Reply # 1078082 1-Jul-2014 17:14
Send private message



Looks fine here




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

1434 posts

Uber Geek
+1 received by user: 433

Trusted

  Reply # 1078085 1-Jul-2014 17:18
Send private message

all of the important bits are encrypted, what is the point of this thread?






1982 posts

Uber Geek
+1 received by user: 19

Trusted
Subscriber

  Reply # 1078090 1-Jul-2014 17:20
Send private message

OneSmart, debit card so one is even more apprehensive than normal because once your hit you're screwed because they simply don't care.




1982 posts

Uber Geek
+1 received by user: 19

Trusted
Subscriber

  Reply # 1078091 1-Jul-2014 17:22
Send private message

l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.



1982 posts

Uber Geek
+1 received by user: 19

Trusted
Subscriber

  Reply # 1078102 1-Jul-2014 17:28
Send private message

Should have been a question rather than a grumble. You can get an encrypted page for OneSmart here https://www.onesmart.co.nz/ (not the site on the activation sticker on your card).

2242 posts

Uber Geek
+1 received by user: 353

Trusted
Subscriber

  Reply # 1078110 1-Jul-2014 17:42
Send private message

So really they just need to setup a http to https redirect on their load balancers

gzt

9161 posts

Uber Geek
+1 received by user: 1291


  Reply # 1078116 1-Jul-2014 17:52
Send private message

lyonrouge:
l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

A padlock is reassuring, I agree.

But I know of no reason an https page cannot submit your credentials to an unencrypted http address. Iirc some security solutions might detect and prevent this, and some browsers will kind of warn.

The padlock tells you that (at least some of: ) the information you are viewing was sent via https. I don't think it says much about how information you may submit could be sent. This part is still essentially trust I think.

Edit: I hasten to add - in the specific airnz case that airpoints user/pass looks to be https submitted = secure.

3079 posts

Uber Geek
+1 received by user: 845

Trusted

  Reply # 1078120 1-Jul-2014 17:56
One person supports this post
Send private message

I think this thread is fair enough TBH.  Going to https://www.airnewzealand.co.nz/onesmart actually redirects you from https TO http :?   so the sign in then looks like the following. It does ultimately POST over https but still seems like pretty poor form from the point of view of educating users...




1982 posts

Uber Geek
+1 received by user: 19

Trusted
Subscriber

  Reply # 1078127 1-Jul-2014 18:10
Send private message

gzt:
lyonrouge:
l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

A padlock is reassuring, I agree.

But I know of no reason an https page cannot submit your credentials to an unencrypted http address. Iirc some security solutions might detect and prevent this, and some browsers will kind of warn.

The padlock tells you that (at least some of: ) the information you are viewing was sent via https. I don't think it says much about how information you may submit could be sent. This part is still essentially trust I think.

Edit: I hasten to add - in the specific airnz case that airpoints user/pass looks to be https submitted = secure.


I was unaware that parts of a HTTPS page could be unencrypted. I was aware that HTTP could trigger encrypted iframes but I was not ware of the reverse, thanks for letting me know.

6851 posts

Uber Geek
+1 received by user: 3163

Moderator
Trusted
Subscriber

  Reply # 1078138 1-Jul-2014 18:41
Send private message

In terms of bad things happening for using this site, you have more of a chance of getting hax0red for your use of Internet Explorer.




Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial


20439 posts

Uber Geek
+1 received by user: 3901

Trusted
Subscriber

  Reply # 1078155 1-Jul-2014 18:56
Send private message

lyonrouge:
I was unaware that parts of a HTTPS page could be unencrypted. I was aware that HTTP could trigger encrypted iframes but I was not ware of the reverse, thanks for letting me know.


Yes, but that can be replaced with any form by a MITM attack, and it makes paying for a fancy cert with the green thing at the top pointless as people cant see it when entering their details.




Richard rich.ms

gzt

9161 posts

Uber Geek
+1 received by user: 1291


  Reply # 1078157 1-Jul-2014 19:03
One person supports this post
Send private message

lyonrouge:
gzt:
lyonrouge:
l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

A padlock is reassuring, I agree.

But I know of no reason an https page cannot submit your credentials to an unencrypted http address. Iirc some security solutions might detect and prevent this, and some browsers will kind of warn.

The padlock tells you that (at least some of: ) the information you are viewing was sent via https. I don't think it says much about how information you may submit could be sent. This part is still essentially trust I think.

Edit: I hasten to add - in the specific airnz case that airpoints user/pass looks to be https submitted = secure.


I was unaware that parts of a HTTPS page could be unencrypted. I was aware that HTTP could trigger encrypted iframes but I was not ware of the reverse, thanks for letting me know.


Summary. If a page is https secured (padlock) then any browser should warn if you attempt to submit a username/password via insecure http. I believe all major browsers will warn.

If the page is http (no padlock) then the browser cannot know that you expected a secure submission and therefore cannot warn. In that scenario a user has no protection from a 'potential' insecure submission. Ie; In an entirely hypothetical (and unbelievable) case where the AirNZ webdevs left the 's' off the https for that form.

I also believe most major browsers will warn if a page contains mixed content.

Browser developers have been slowly tightening policies on this kind of stuff over many years dragging the web along behind them. At one time browser users could choose to suppress warnings but I'm unsure if this is still the case.

I googled around for a browser test page but nothing obvious appeared.

gzt

9161 posts

Uber Geek
+1 received by user: 1291


  Reply # 1078173 1-Jul-2014 19:25
Send private message

Found some test pages for the mixed content side of things. It is still very much a current issue. Here's a current article explaining the issues.

Test page: https://www.ssllabs.com/ssltest/viewMyClient.html

The test page did not trigger a mixed content browser warning on my Chrome(OSX).

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UAV Traffic Management Trial launching today in New Zealand
Posted 12-Dec-2017 16:06


UFB connections pass 460,000
Posted 11-Dec-2017 11:26


The Warehouse Group to adopt IBM Cloud to support digital transformation
Posted 11-Dec-2017 11:22


Dimension Data peeks into digital business 2018
Posted 11-Dec-2017 10:55


2018 Cyber Security Predictions
Posted 7-Dec-2017 14:55


Global Govtech Accelerator to drive public sector innovation in Wellington
Posted 7-Dec-2017 11:21


Stuff Pix media strategy a new direction
Posted 7-Dec-2017 09:37


Digital transformation is dead
Posted 7-Dec-2017 09:31


Fake news and cyber security
Posted 7-Dec-2017 09:27


Dimension Data New Zealand strengthens cybersecurity practice
Posted 5-Dec-2017 20:27


Epson NZ launches new Expression Premium Photo range
Posted 5-Dec-2017 20:26


Eventbrite and Twickets launch integration partnership in Australia and New Zealand
Posted 5-Dec-2017 20:23


New Fujifilm macro lens lands in New Zealand
Posted 5-Dec-2017 20:16


Cyber security not being taken seriously enough
Posted 5-Dec-2017 20:13


Sony commences Android 8.0 Oreo rollout in New Zealand
Posted 5-Dec-2017 20:08



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.