Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsOff topicAir New Zealand also Unencrypted
lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

#148815 1-Jul-2014 16:47
Send private message

Air NZ site (similar to the trade me thread) is unencrypted, so this I have stopped using. Challenge now is, I'm on hold on the phone line, is it just me or is IT going backwards?

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
PeterReader
6028 posts

Uber Geek
+1 received by user: 461

Trusted
Geekzone
Lifetime subscriber

  #1078061 1-Jul-2014 16:47
Send private message

Hmmmm. Here we go.




I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.

 

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.



gzt

gzt
18684 posts

Uber Geek
+1 received by user: 7826

Lifetime subscriber

  #1078078 1-Jul-2014 17:09
Send private message

Credit card payments are not encrypted?

Beccara
1473 posts

Uber Geek
+1 received by user: 517

ID Verified

  #1078082 1-Jul-2014 17:14
Send private message



Looks fine here




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 



l43a2
1784 posts

Uber Geek
+1 received by user: 591

ID Verified
Trusted

  #1078085 1-Jul-2014 17:18
Send private message

all of the important bits are encrypted, what is the point of this thread?





lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #1078090 1-Jul-2014 17:20
Send private message

OneSmart, debit card so one is even more apprehensive than normal because once your hit you're screwed because they simply don't care.

lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #1078091 1-Jul-2014 17:22
Send private message

l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

 
 
 
 

Shop now at Mighty Ape (affiliate link).
lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #1078102 1-Jul-2014 17:28
Send private message

Should have been a question rather than a grumble. You can get an encrypted page for OneSmart here https://www.onesmart.co.nz/ (not the site on the activation sticker on your card).

insane
3324 posts

Uber Geek
+1 received by user: 1006

ID Verified
Trusted
2degrees
Subscriber

  #1078110 1-Jul-2014 17:42
Send private message

So really they just need to setup a http to https redirect on their load balancers

gzt

gzt
18684 posts

Uber Geek
+1 received by user: 7826

Lifetime subscriber

  #1078116 1-Jul-2014 17:52
Send private message

lyonrouge:
l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

A padlock is reassuring, I agree.

But I know of no reason an https page cannot submit your credentials to an unencrypted http address. Iirc some security solutions might detect and prevent this, and some browsers will kind of warn.

The padlock tells you that (at least some of: ) the information you are viewing was sent via https. I don't think it says much about how information you may submit could be sent. This part is still essentially trust I think.

Edit: I hasten to add - in the specific airnz case that airpoints user/pass looks to be https submitted = secure.

sidefx
3775 posts

Uber Geek
+1 received by user: 1295

Trusted

  #1078120 1-Jul-2014 17:56
Send private message

I think this thread is fair enough TBH.  Going to https://www.airnewzealand.co.nz/onesmart actually redirects you from https TO http :?   so the sign in then looks like the following. It does ultimately POST over https but still seems like pretty poor form from the point of view of educating users...




"I was born not knowing and have had only a little time to change that here and there."         | Octopus Energy | Sharesies
              - Richard Feynman

lyonrouge

1993 posts

Uber Geek
+1 received by user: 20

Trusted
Lifetime subscriber

  #1078127 1-Jul-2014 18:10
Send private message

gzt:
lyonrouge:
l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

A padlock is reassuring, I agree.

But I know of no reason an https page cannot submit your credentials to an unencrypted http address. Iirc some security solutions might detect and prevent this, and some browsers will kind of warn.

The padlock tells you that (at least some of: ) the information you are viewing was sent via https. I don't think it says much about how information you may submit could be sent. This part is still essentially trust I think.

Edit: I hasten to add - in the specific airnz case that airpoints user/pass looks to be https submitted = secure.


I was unaware that parts of a HTTPS page could be unencrypted. I was aware that HTTP could trigger encrypted iframes but I was not ware of the reverse, thanks for letting me know.

 
 
 
 

Shop on-line at New World now for your groceries (affiliate link).
michaelmurfy
meow
13580 posts

Uber Geek
+1 received by user: 10912

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1078138 1-Jul-2014 18:41
Send private message

In terms of bad things happening for using this site, you have more of a chance of getting hax0red for your use of Internet Explorer.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

richms
29099 posts

Uber Geek
+1 received by user: 10214

Trusted
Lifetime subscriber

  #1078155 1-Jul-2014 18:56
Send private message

lyonrouge:
I was unaware that parts of a HTTPS page could be unencrypted. I was aware that HTTP could trigger encrypted iframes but I was not ware of the reverse, thanks for letting me know.


Yes, but that can be replaced with any form by a MITM attack, and it makes paying for a fancy cert with the green thing at the top pointless as people cant see it when entering their details.




Richard rich.ms

gzt

gzt
18684 posts

Uber Geek
+1 received by user: 7826

Lifetime subscriber

  #1078157 1-Jul-2014 19:03
Send private message

lyonrouge:
gzt:
lyonrouge:
l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

A padlock is reassuring, I agree.

But I know of no reason an https page cannot submit your credentials to an unencrypted http address. Iirc some security solutions might detect and prevent this, and some browsers will kind of warn.

The padlock tells you that (at least some of: ) the information you are viewing was sent via https. I don't think it says much about how information you may submit could be sent. This part is still essentially trust I think.

Edit: I hasten to add - in the specific airnz case that airpoints user/pass looks to be https submitted = secure.


I was unaware that parts of a HTTPS page could be unencrypted. I was aware that HTTP could trigger encrypted iframes but I was not ware of the reverse, thanks for letting me know.


Summary. If a page is https secured (padlock) then any browser should warn if you attempt to submit a username/password via insecure http. I believe all major browsers will warn.

If the page is http (no padlock) then the browser cannot know that you expected a secure submission and therefore cannot warn. In that scenario a user has no protection from a 'potential' insecure submission. Ie; In an entirely hypothetical (and unbelievable) case where the AirNZ webdevs left the 's' off the https for that form.

I also believe most major browsers will warn if a page contains mixed content.

Browser developers have been slowly tightening policies on this kind of stuff over many years dragging the web along behind them. At one time browser users could choose to suppress warnings but I'm unsure if this is still the case.

I googled around for a browser test page but nothing obvious appeared.

gzt

gzt
18684 posts

Uber Geek
+1 received by user: 7826

Lifetime subscriber

  #1078173 1-Jul-2014 19:25
Send private message

Found some test pages for the mixed content side of things. It is still very much a current issue. Here's a current article explaining the issues.

Test page: https://www.ssllabs.com/ssltest/viewMyClient.html

The test page did not trigger a mixed content browser warning on my Chrome(OSX).

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright