Air New Zealand also Unencrypted

Forums › Off topic › Air New Zealand also Unencrypted

1 | 2

dclegg

2805 posts

Uber Geek

Trusted

#1078176 1-Jul-2014 19:32

sidefx: I think this thread is fair enough TBH. Going to https://www.airnewzealand.co.nz/onesmart actually redirects you from https TO http :? so the sign in then looks like the following. It does ultimately POST over https but still seems like pretty poor form from the point of view of educating users...

Posting over HTTPS from HTTP is not secure. Troy Hunt explains why.

Backblaze

Backblaze Unlimited Backup. World’s easiest cloud backup. Get peace of mind knowing your files are backed up securely in the cloud (affiliate link).

sidefx

3639 posts

Uber Geek

Trusted

#1078178 1-Jul-2014 19:35

dclegg:
Posting over HTTPS from HTTP is not secure. Troy Hunt explains why.

Thanks, yeah, I thought there were issues with it too but didn't have time to look them up.

"I was born not knowing and have had only a little time to change that here and there." | Electric Kiwi | Sharesies
- Richard Feynman

richms

26389 posts

Uber Geek

Trusted

Subscriber

#1078192 1-Jul-2014 20:05

It comes down to the usability of the site winning over security of the site.

IMO if they allow a login form to be loaded over non SSL, they dont give a crap about security.

Richard rich.ms

BTR

1522 posts

Uber Geek

#1078442 2-Jul-2014 09:46

michaelmurfy: In terms of bad things happening for using this site, you have more of a chance of getting hax0red for your use of Internet Explorer.

I noticed that as well, using IE and complaining about security is almost asking for it haha.

lyonrouge

1993 posts

Uber Geek

Trusted

Lifetime subscriber

#1078445 2-Jul-2014 09:55

My grumble was regarding encryption, not security. Encryption in this example is browser agnostic, and although encryption contributes to the security practice is not security in itself.

itxtme

2050 posts

Uber Geek

#1078547 2-Jul-2014 12:13

dclegg:
sidefx: I think this thread is fair enough TBH. Going to https://www.airnewzealand.co.nz/onesmart actually redirects you from https TO http :? so the sign in then looks like the following. It does ultimately POST over https but still seems like pretty poor form from the point of view of educating users...

Posting over HTTPS from HTTP is not secure. Troy Hunt explains why.

~~How does he insert his logger code into the woolworths site?~~ NVM he had access to the network proxy. The chance of this actually happening??? Although I did see the comments regarding server performance is 1-2% according to google when they switched gmail to https only. That in itself is an excellent argument to switching to SSL only!

dclegg

2805 posts

Uber Geek

Trusted

#1078549 2-Jul-2014 12:17

itxtme:
dclegg:
sidefx: I think this thread is fair enough TBH. Going to https://www.airnewzealand.co.nz/onesmart actually redirects you from https TO http :? so the sign in then looks like the following. It does ultimately POST over https but still seems like pretty poor form from the point of view of educating users...

Posting over HTTPS from HTTP is not secure. Troy Hunt explains why.

How does he insert his logger code into the woolworths site? NVM he had access to the network proxy. The chance of this actually happening??? Although I did see the comments regarding server performance is 1-2% according to google when they switched gmail to https only. That in itself is an excellent argument to switching to SSL only!

Any Man-in-the-middle attack could make you vulnerable to this.

If you have any interest in web security at all, I'd recommend following what Troy has to say on the subject. He really knows his stuff. Here is his talk from this years Codemania conference.

richms

26389 posts

Uber Geek

Trusted

Subscriber

#1078573 2-Jul-2014 12:43

If you are going to start using free wifi then the chances are quite high and will get higher as the entry barrier comes down more to doing this sort of thing.

Richard rich.ms

1 | 2