Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


1990 posts

Uber Geek
+1 received by user: 20

Trusted
Subscriber

Topic # 148815 1-Jul-2014 16:47
Send private message

Air NZ site (similar to the trade me thread) is unencrypted, so this I have stopped using. Challenge now is, I'm on hold on the phone line, is it just me or is IT going backwards?

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
5527 posts

Uber Geek
+1 received by user: 249

Trusted
Geekzone
Lifetime subscriber

  Reply # 1078061 1-Jul-2014 16:47
Send private message

Hmmmm. Here we go.




I am the Geekzone Robot and I am here to help. I am from the Internet. I do not interact. Do not expect other replies from me.



gzt

10020 posts

Uber Geek
+1 received by user: 1516


  Reply # 1078078 1-Jul-2014 17:09
Send private message

Credit card payments are not encrypted?

988 posts

Ultimate Geek
+1 received by user: 157

UberGroup

  Reply # 1078082 1-Jul-2014 17:14
Send private message



Looks fine here




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

1479 posts

Uber Geek
+1 received by user: 464

Trusted

  Reply # 1078085 1-Jul-2014 17:18
Send private message

all of the important bits are encrypted, what is the point of this thread?






1990 posts

Uber Geek
+1 received by user: 20

Trusted
Subscriber

  Reply # 1078090 1-Jul-2014 17:20
Send private message

OneSmart, debit card so one is even more apprehensive than normal because once your hit you're screwed because they simply don't care.




1990 posts

Uber Geek
+1 received by user: 20

Trusted
Subscriber

  Reply # 1078091 1-Jul-2014 17:22
Send private message

l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.



1990 posts

Uber Geek
+1 received by user: 20

Trusted
Subscriber

  Reply # 1078102 1-Jul-2014 17:28
Send private message

Should have been a question rather than a grumble. You can get an encrypted page for OneSmart here https://www.onesmart.co.nz/ (not the site on the activation sticker on your card).

2277 posts

Uber Geek
+1 received by user: 370

Trusted
Subscriber

  Reply # 1078110 1-Jul-2014 17:42
Send private message

So really they just need to setup a http to https redirect on their load balancers

gzt

10020 posts

Uber Geek
+1 received by user: 1516


  Reply # 1078116 1-Jul-2014 17:52
Send private message

lyonrouge:
l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

A padlock is reassuring, I agree.

But I know of no reason an https page cannot submit your credentials to an unencrypted http address. Iirc some security solutions might detect and prevent this, and some browsers will kind of warn.

The padlock tells you that (at least some of: ) the information you are viewing was sent via https. I don't think it says much about how information you may submit could be sent. This part is still essentially trust I think.

Edit: I hasten to add - in the specific airnz case that airpoints user/pass looks to be https submitted = secure.

3165 posts

Uber Geek
+1 received by user: 890

Trusted

  Reply # 1078120 1-Jul-2014 17:56
One person supports this post
Send private message

I think this thread is fair enough TBH.  Going to https://www.airnewzealand.co.nz/onesmart actually redirects you from https TO http :?   so the sign in then looks like the following. It does ultimately POST over https but still seems like pretty poor form from the point of view of educating users...




1990 posts

Uber Geek
+1 received by user: 20

Trusted
Subscriber

  Reply # 1078127 1-Jul-2014 18:10
Send private message

gzt:
lyonrouge:
l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

A padlock is reassuring, I agree.

But I know of no reason an https page cannot submit your credentials to an unencrypted http address. Iirc some security solutions might detect and prevent this, and some browsers will kind of warn.

The padlock tells you that (at least some of: ) the information you are viewing was sent via https. I don't think it says much about how information you may submit could be sent. This part is still essentially trust I think.

Edit: I hasten to add - in the specific airnz case that airpoints user/pass looks to be https submitted = secure.


I was unaware that parts of a HTTPS page could be unencrypted. I was aware that HTTP could trigger encrypted iframes but I was not ware of the reverse, thanks for letting me know.

Meow
7613 posts

Uber Geek
+1 received by user: 3700

Moderator
Trusted
Lifetime subscriber

  Reply # 1078138 1-Jul-2014 18:41
Send private message

In terms of bad things happening for using this site, you have more of a chance of getting hax0red for your use of Internet Explorer.




21286 posts

Uber Geek
+1 received by user: 4290

Trusted
Subscriber

  Reply # 1078155 1-Jul-2014 18:56
Send private message

lyonrouge:
I was unaware that parts of a HTTPS page could be unencrypted. I was aware that HTTP could trigger encrypted iframes but I was not ware of the reverse, thanks for letting me know.


Yes, but that can be replaced with any form by a MITM attack, and it makes paying for a fancy cert with the green thing at the top pointless as people cant see it when entering their details.




Richard rich.ms

gzt

10020 posts

Uber Geek
+1 received by user: 1516


  Reply # 1078157 1-Jul-2014 19:03
One person supports this post
Send private message

lyonrouge:
gzt:
lyonrouge:
l43a2: all of the important bits are encrypted, what is the point of this thread?

 
they tell us not to use broken certificates, but in this case I can't see if the "important" part (my password) is encrypted or not.

A padlock is reassuring, I agree.

But I know of no reason an https page cannot submit your credentials to an unencrypted http address. Iirc some security solutions might detect and prevent this, and some browsers will kind of warn.

The padlock tells you that (at least some of: ) the information you are viewing was sent via https. I don't think it says much about how information you may submit could be sent. This part is still essentially trust I think.

Edit: I hasten to add - in the specific airnz case that airpoints user/pass looks to be https submitted = secure.


I was unaware that parts of a HTTPS page could be unencrypted. I was aware that HTTP could trigger encrypted iframes but I was not ware of the reverse, thanks for letting me know.


Summary. If a page is https secured (padlock) then any browser should warn if you attempt to submit a username/password via insecure http. I believe all major browsers will warn.

If the page is http (no padlock) then the browser cannot know that you expected a secure submission and therefore cannot warn. In that scenario a user has no protection from a 'potential' insecure submission. Ie; In an entirely hypothetical (and unbelievable) case where the AirNZ webdevs left the 's' off the https for that form.

I also believe most major browsers will warn if a page contains mixed content.

Browser developers have been slowly tightening policies on this kind of stuff over many years dragging the web along behind them. At one time browser users could choose to suppress warnings but I'm unsure if this is still the case.

I googled around for a browser test page but nothing obvious appeared.

gzt

10020 posts

Uber Geek
+1 received by user: 1516


  Reply # 1078173 1-Jul-2014 19:25
Send private message

Found some test pages for the mixed content side of things. It is still very much a current issue. Here's a current article explaining the issues.

Test page: https://www.ssllabs.com/ssltest/viewMyClient.html

The test page did not trigger a mixed content browser warning on my Chrome(OSX).

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

The Warehouse leaps into the AI future with Google
Posted 15-Aug-2018 17:56


Targus set sights on enterprise and consumer growth in New Zealand
Posted 13-Aug-2018 13:47


Huawei to distribute nova 3i in New Zealand
Posted 9-Aug-2018 16:23


Home robot Vector to be available in New Zealand stores
Posted 9-Aug-2018 14:47


Panasonic announces new 2018 OLED TV line up
Posted 7-Aug-2018 16:38


Kordia completes first live 4K TV broadcast
Posted 1-Aug-2018 13:00


Schools get safer and smarter internet with Managed Network Upgrade
Posted 30-Jul-2018 20:01


DNC wants a safer .nz in the coming year
Posted 26-Jul-2018 16:08


Auldhouse becomes an AWS Authorised Training Delivery Partner in New Zealand
Posted 26-Jul-2018 15:55


Rakuten Kobo launches Kobo Clara HD entry level reader
Posted 26-Jul-2018 15:44


Kiwi team reaches semi-finals at the Microsoft Imagine Cup
Posted 26-Jul-2018 15:38


KidsCan App to Help Kiwi Children in Need
Posted 26-Jul-2018 15:32


FUJIFILM announces new high-performance lenses
Posted 24-Jul-2018 14:57


New FUJIFILM XF10 introduces square mode for Instagram sharing
Posted 24-Jul-2018 14:44


OPPO brings advanced technology to the smartphone market with new device
Posted 24-Jul-2018 09:20



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.