Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1990 posts

Uber Geek

Trusted
Lifetime subscriber

#148815 1-Jul-2014 16:47
Send private message

Air NZ site (similar to the trade me thread) is unencrypted, so this I have stopped using. Challenge now is, I'm on hold on the phone line, is it just me or is IT going backwards?

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
5795 posts

Uber Geek

Trusted
Geekzone
Lifetime subscriber

  #1078061 1-Jul-2014 16:47
Send private message

Hmmmm. Here we go.




I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.



gzt

11181 posts

Uber Geek

Lifetime subscriber

  #1078078 1-Jul-2014 17:09
Send private message

Credit card payments are not encrypted?

 
 
 
 


1257 posts

Uber Geek


  #1078082 1-Jul-2014 17:14
Send private message



Looks fine here




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

1572 posts

Uber Geek

Trusted

  #1078085 1-Jul-2014 17:18
Send private message

all of the important bits are encrypted, what is the point of this thread?







1990 posts

Uber Geek

Trusted
Lifetime subscriber

  #1078090 1-Jul-2014 17:20
Send private message

OneSmart, debit card so one is even more apprehensive than normal because once your hit you're screwed because they simply don't care.




1990 posts

Uber Geek

Trusted
Lifetime subscriber

  #1078091 1-Jul-2014 17:22
Send private message

l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.



1990 posts

Uber Geek

Trusted
Lifetime subscriber

  #1078102 1-Jul-2014 17:28
Send private message

Should have been a question rather than a grumble. You can get an encrypted page for OneSmart here https://www.onesmart.co.nz/ (not the site on the activation sticker on your card).

 
 
 
 


2415 posts

Uber Geek

Trusted
Subscriber

  #1078110 1-Jul-2014 17:42
Send private message

So really they just need to setup a http to https redirect on their load balancers

gzt

11181 posts

Uber Geek

Lifetime subscriber

  #1078116 1-Jul-2014 17:52
Send private message

lyonrouge:
l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

A padlock is reassuring, I agree.

But I know of no reason an https page cannot submit your credentials to an unencrypted http address. Iirc some security solutions might detect and prevent this, and some browsers will kind of warn.

The padlock tells you that (at least some of: ) the information you are viewing was sent via https. I don't think it says much about how information you may submit could be sent. This part is still essentially trust I think.

Edit: I hasten to add - in the specific airnz case that airpoints user/pass looks to be https submitted = secure.

3414 posts

Uber Geek

Trusted

  #1078120 1-Jul-2014 17:56
One person supports this post
Send private message

I think this thread is fair enough TBH.  Going to https://www.airnewzealand.co.nz/onesmart actually redirects you from https TO http :?   so the sign in then looks like the following. It does ultimately POST over https but still seems like pretty poor form from the point of view of educating users...




1990 posts

Uber Geek

Trusted
Lifetime subscriber

  #1078127 1-Jul-2014 18:10
Send private message

gzt:
lyonrouge:
l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

A padlock is reassuring, I agree.

But I know of no reason an https page cannot submit your credentials to an unencrypted http address. Iirc some security solutions might detect and prevent this, and some browsers will kind of warn.

The padlock tells you that (at least some of: ) the information you are viewing was sent via https. I don't think it says much about how information you may submit could be sent. This part is still essentially trust I think.

Edit: I hasten to add - in the specific airnz case that airpoints user/pass looks to be https submitted = secure.


I was unaware that parts of a HTTPS page could be unencrypted. I was aware that HTTP could trigger encrypted iframes but I was not ware of the reverse, thanks for letting me know.

/dev/null
9152 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #1078138 1-Jul-2014 18:41
Send private message

In terms of bad things happening for using this site, you have more of a chance of getting hax0red for your use of Internet Explorer.




23073 posts

Uber Geek

Trusted
Subscriber

  #1078155 1-Jul-2014 18:56
Send private message

lyonrouge:
I was unaware that parts of a HTTPS page could be unencrypted. I was aware that HTTP could trigger encrypted iframes but I was not ware of the reverse, thanks for letting me know.


Yes, but that can be replaced with any form by a MITM attack, and it makes paying for a fancy cert with the green thing at the top pointless as people cant see it when entering their details.




Richard rich.ms

gzt

11181 posts

Uber Geek

Lifetime subscriber

  #1078157 1-Jul-2014 19:03
One person supports this post
Send private message

lyonrouge:
gzt:
lyonrouge:
l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

A padlock is reassuring, I agree.

But I know of no reason an https page cannot submit your credentials to an unencrypted http address. Iirc some security solutions might detect and prevent this, and some browsers will kind of warn.

The padlock tells you that (at least some of: ) the information you are viewing was sent via https. I don't think it says much about how information you may submit could be sent. This part is still essentially trust I think.

Edit: I hasten to add - in the specific airnz case that airpoints user/pass looks to be https submitted = secure.


I was unaware that parts of a HTTPS page could be unencrypted. I was aware that HTTP could trigger encrypted iframes but I was not ware of the reverse, thanks for letting me know.


Summary. If a page is https secured (padlock) then any browser should warn if you attempt to submit a username/password via insecure http. I believe all major browsers will warn.

If the page is http (no padlock) then the browser cannot know that you expected a secure submission and therefore cannot warn. In that scenario a user has no protection from a 'potential' insecure submission. Ie; In an entirely hypothetical (and unbelievable) case where the AirNZ webdevs left the 's' off the https for that form.

I also believe most major browsers will warn if a page contains mixed content.

Browser developers have been slowly tightening policies on this kind of stuff over many years dragging the web along behind them. At one time browser users could choose to suppress warnings but I'm unsure if this is still the case.

I googled around for a browser test page but nothing obvious appeared.

gzt

11181 posts

Uber Geek

Lifetime subscriber

  #1078173 1-Jul-2014 19:25
Send private message

Found some test pages for the mixed content side of things. It is still very much a current issue. Here's a current article explaining the issues.

Test page: https://www.ssllabs.com/ssltest/viewMyClient.html

The test page did not trigger a mixed content browser warning on my Chrome(OSX).

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Huawei introduces the P40 Series of Android-based smartphones
Posted 31-Mar-2020 17:03


Samsung Galaxy Z Flip now available for pre-order in New Zealand
Posted 31-Mar-2020 16:39


New online learning platform for kids stuck at home during COVID-19 lockdown
Posted 26-Mar-2020 21:35


New 5G Nokia smartphone unveiled as portfolio expands
Posted 26-Mar-2020 17:11


D-Link ANZ launches wireless AC1200 4G LTE router
Posted 26-Mar-2020 16:32


Ring introduces two new video doorbells and new pre-roll technology
Posted 17-Mar-2020 16:59


OPPO uncovers flagship Find X2 Pro smartphone
Posted 17-Mar-2020 16:54


D-Link COVR-2202 mesh Wi-Fi system now protected by McAfee
Posted 17-Mar-2020 16:00


Spark Sport opens its platform up to all New Zealanders at no charge
Posted 17-Mar-2020 10:04


Spark launches 5G Starter Fund
Posted 8-Mar-2020 19:19


TRENDnet launches high-performance WiFi Mesh Router System
Posted 5-Mar-2020 08:48


Sony boosts full-frame lens line-up with introduction of FE 20mm F1.8 G large-aperture ultra-wide-angle prime Lens
Posted 5-Mar-2020 08:44


Vector and Spark teamed up on smart metering initiative
Posted 5-Mar-2020 08:42


Schneider Electric launches new PDL Pro Series designed specifically for the commercial building market
Posted 5-Mar-2020 08:39


Kiwi app Pedigree DentaStix Studios uses pet images to counter impact of negative social media Content
Posted 5-Mar-2020 08:32



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.