Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




160 posts

Master Geek
+1 received by user: 18

Subscriber

Topic # 225698 30-Nov-2017 22:04
Send private message

Hi all,

 

Firstly, apologies if I haven't described the issue here well or if it belongs in another forum.

 

For the past few years I've been engaged in a minor conflict with my professional college over their Web site: specifically, its apparent insecurity.

 

The organisation expects its members to pay subscriptions and certain other fees online and has an https page for that. When I go to make a payment, though, Firefox (for example; I use Chrome as well) advises me that the page is insecure (broken padlock with a warning triangle).

 

After much toing and froing with various administrative people I've got the following explanation from a senior IT person:

 

"Thank you for your email regarding the security of our website. I can assure you that our registration functions are using ssl technology. For our payment processing we also use payflowpro, the corporate side of paypal which has its own security and verifications.

 

"The reason you are seeing a message about the ssl on some of our pages is because there are some jquery scripts which are serving up pictures on our website, which are only using http, instead of https."

 

Now I have no reason to distrust the chap who sent me that explanation, but it still makes me uneasy about, for example, putting my credit card details onto such a Web page. I therefore tend to play it safe and insist on faxing payment details to a trusted recipient (or paying by direct deposit).

 

My question is, am I being unreasonable? Or is it just good practice to regard any Web page that throws up a Firefox alert as insecure and not to put credit card details and other confidential information up on it?

 

TIA for all advice.

 

(edited because my attempt at html didn't work so well)


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
13792 posts

Uber Geek
+1 received by user: 1716


  Reply # 1911352 30-Nov-2017 22:08
One person supports this post
Send private message

IMO their explanation could be correct. But as you say, it doesn't look good, as the lock broken. Those scripts and images if they are loading from external sources should still be   https. When I have had this problem with my own sites, I have always fixed it.

 

 

 

I had a similar problem where I reported a similar problem with https on their website, where I kept getting popup security warnings. They got their web designer to contact me, who denied the problems, was quite unprofessional, and started pointing out problems with my website etc, which they were wrong about anyway. I escalated it to management, as I wasn't happy to be treated that way, as I was only reporting a problem to them. They ended up identifying the problem with their website and fixing it. But it wasn't worth the hassle of reporting it.

 

 

 

One thing though is that Firefox and chrome are now displaying this 'connection is not secure' warnings in the address bar (if you click on the icon where the lock normally appears) of website that don't use https, as there is a major push for all websites to use https.


11030 posts

Uber Geek
+1 received by user: 3462

Trusted
Subscriber

  Reply # 1911353 30-Nov-2017 22:10
2 people support this post
Send private message

I was so tempted to answer with "Partially secure"..!






 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software
283 posts

Ultimate Geek
+1 received by user: 47

Subscriber

  Reply # 1911355 30-Nov-2017 22:15
Send private message

No answers, sorry, but I'm interested -- because recently Malwarebytes Premium said "DONT GO THERE" to me on attempting to access the Seniors page of Min Social Development...  Sounds like it might be the same thing happening.

 

Told MSD, and they responded by sending me a link on How to Stay Safe Online.  Which is kind of odd, when you think about it.





gml


330 posts

Ultimate Geek
+1 received by user: 90


  Reply # 1911356 30-Nov-2017 22:24
4 people support this post
Send private message

Did you ask why they can't serve their jquery scripts (or actually everything) over HTTPS? This is what typically happens in a professional outfit.


100 posts

Master Geek
+1 received by user: 52


  Reply # 1911357 30-Nov-2017 22:34
2 people support this post
Send private message

If the website is loading images from an insecure source that will break the lock. They should fix their code in order to fix the issue instead of giving excuses.

 

 



160 posts

Master Geek
+1 received by user: 18

Subscriber

  Reply # 1911359 30-Nov-2017 22:41
Send private message

KiwiSurfer:

 

Did you ask why they can't serve their jquery scripts (or actually everything) over HTTPS? This is what typically happens in a professional outfit.

 

 

I asked.  I got this in reply:

 

I’ll ask my team if we can try and serve this up as https content. It’s a reference to an external code library which our main templates use, so I am not 100% sure its possible.

 

Presumably it has been either not possible or not doable within budgetary/manpower/etc constraints.


4301 posts

Uber Geek
+1 received by user: 790

Moderator
Trusted
Lifetime subscriber

  Reply # 1911360 30-Nov-2017 22:44
4 people support this post
Send private message

If all components of the site aren't secure, then the site is not secure.  Two is one, one is none and all that jazz.  


2431 posts

Uber Geek
+1 received by user: 246


  Reply # 1911364 30-Nov-2017 23:02
One person supports this post
Send private message

Chrome Dev tools (f12) has its own security tab now BTW. So you can load it and see what resources it doesn't like


IcI

663 posts

Ultimate Geek
+1 received by user: 145

Trusted

  Reply # 1911861 2-Dec-2017 00:56
6 people support this post
Send private message

kiwigander: ... My question is, am I being unreasonable? Or is it just good practice to regard any Web page that throws up a Firefox alert as insecure 
Your concerns are valid. Plain & simple.

 

 

 

Longer answer: To answer the question in the subject of this thread. If only images were loaded via HTTP on this site, then it would be more secure than a site that loads script & libraries via HTTP. Your IT guy has given you the correct & truthful info, but unfortunately seems unwilling to act on this. His set of users is small / manageable / well known with only one person raising concerns (complaining).
A benefit of HTTPS is that the content is from a 'validated' source. It is very easy to perform a 'man in the middle (MITM)' attack on HTTP traffic. Because HTTP traffic is not encrypted, anybody sniffing the packets can read your data stream and also insert their own traffic. The most jovial version of this is flipping images in your browser window upside down. Serving HTTP content in a HTTPS page is introducing a weak link in your security chain. Even if payflowpro or Paypal use SSL, that doesn't help if the website itself is tracking your usage & logging your keystrokes / mouse movements. This insecure content could capture everything you type on the website.

 

Actionable items for you (and the senior IT person)

 

  • These days, maintainers of public libraries know of the value to serve their content via HTTPS. If it is the jquery script itself that is external and loaded via HTTP, you should be able to update the HTML to load via HTTPS instead of HTTP.
  • If it is the actual images that are served via HTTP, why is the jquery script doing that? Maybe there is an updated version of the script that tries HTTPS first? Where do the images come from? Whhy can't the images be hosted on an HTTPS enabled site? Or better yet, bring them inhouse and host them on your own HTTPS enabled site.
  • As stated above, you can use the developer tools in Chrome, Firefox & IE/Edge to view what was loaded via HTTP. Copy that URL, paste it into your browsers address bar, modify the HTTP to HTTPS and see if the resource loads?
  • As an alternative, do a bit of collective action. Get everybody to use the fax option forthree to six months to submit their payments. Have them cite concerns about privacy & security when asked why. The payments processing team will groan and complain to IT to fix it. This will have the additional benefit that it's not you complaining. - This point is listed to show that some technical problems have a non-technical solution. Be creative.
  • Speak to other senior staff about your concerns and have them speak to IT to spend the money and keep everybody secure & safe.

Let us know if you have success with any of the approaches mentioned here (or if you crash & burn). PM me if you want a more in depth conversation.

 

Good luck.




160 posts

Master Geek
+1 received by user: 18

Subscriber

  Reply # 1912455 3-Dec-2017 23:12
Send private message

Thank you IcI for the detailed explanation.

 

I've made a preliminary stab with the Firefox developer tools and found one resource with an http:// address.  I copied that address into another browser window and observed what loaded; then I replaced the http:// with https:// and what loaded looked at a glance to be the same.  

 

Will try this again when I'm genuinely awake.  


13746 posts

Uber Geek
+1 received by user: 2389

Trusted
Subscriber

  Reply # 1912468 4-Dec-2017 07:24
Send private message

Post the link if you want someone else to have a look.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


IcI

663 posts

Ultimate Geek
+1 received by user: 145

Trusted

  Reply # 1922384 20-Dec-2017 10:16
Send private message

@kiwigander:
Thank you IcI for the detailed explanation.
...
Will try this again when I'm genuinely awake.

 

Any progress in getting the site secured?


dt

221 posts

Master Geek
+1 received by user: 30

Subscriber

  Reply # 1922406 20-Dec-2017 10:48
Send private message

can you PM me the link to the insecure address? I can let you know how much of a concern it is.


BDFL - Memuneh
60007 posts

Uber Geek
+1 received by user: 11109

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1922412 20-Dec-2017 11:20
Send private message

I was going to post but @lcl did a great job.

 

Another thing to consider is cookies. They may use cookies to store authentication or session information. A browser will always send cookies to the server when a resource (images, scripts, css files, etc) is requested.

 

If the cookies are marked as Secure then only HTTPS requests will send the values stored in cookies. This reduces the risk of cookies/session hijacking. If these aren't marked as Secure (and if they are not marked as HTTPOnly) then a HTTP script could easily read these values during requests. Seeing these scripts are externals then you would have there a small chance of a data leak that could compromise session, user or any other information the site developer by chance stored on those cookies.

 

Another thing is that sites should all consider CSP (Content Security Policy) when implementing secure pages.

 

Lots of things to consider.

 

 







160 posts

Master Geek
+1 received by user: 18

Subscriber

  Reply # 1922837 20-Dec-2017 23:37
2 people support this post
Send private message

Sorry for the delay in following this up (distractions, distractions).

 

I've checked the website again and got the same results as before.  When I reach a page that greys out the security padlock and throws up the yellow warning triangle, Developer Tools finds only one reference to http://.  I copy that into a new tab's address bar and it downloads a .dtd text file, which I rename firstfile.dtd.  I then substitute https:// for the http:// and another .dtd file gets downloaded, which I rename secondfile.dtd.  According to the diff -s firstfile.dtd secondfile.dtd command the two files are identical.

 

I've now gone back to the IT admin person and asked again whether the problem can be remedied.

 

If necessary I can chat with some higher-ups in the organisation.

 

I would not fancy my chances of organising a campaign of faxing or other work-arounds.

 

I suspect that giving out the web address of the organisation would land me in serious hot water, hence I must respecfully decline some respondents' offers to help investigate the site.

 

Thanks for all advice given, and I shall report back.


 1 | 2
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Amazon launches the International Shopping Experience in the Amazon Shopping App
Posted 19-Apr-2018 08:38


Spark New Zealand and TVNZ to bring coverage of Rugby World Cup 2019
Posted 16-Apr-2018 06:55


How Google can seize Microsoft Office crown
Posted 14-Apr-2018 11:08


How back office transformation drives IRD efficiency
Posted 12-Apr-2018 21:15


iPod laws in a smartphone world: will we ever get copyright right?
Posted 12-Apr-2018 21:13


Lightbox service using big data and analytics to learn more about customers
Posted 9-Apr-2018 12:11


111 mobile caller location extended to iOS
Posted 6-Apr-2018 13:50


Huawei announces the HUAWEI P20 series
Posted 29-Mar-2018 11:41


Symantec Internet Security Threat Report shows increased endpoint technology risks
Posted 26-Mar-2018 18:29


Spark switches on long-range IoT network across New Zealand
Posted 26-Mar-2018 18:22


Stuff Pix enters streaming video market
Posted 21-Mar-2018 09:18


Windows no longer Microsoft’s main focus
Posted 13-Mar-2018 07:47


Why phone makers are obsessed with cameras
Posted 11-Mar-2018 12:25


New Zealand Adopts International Open Data Charter
Posted 3-Mar-2018 12:48


Shipments tumble as NZ phone upgrades slow
Posted 2-Mar-2018 11:48



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.