Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 


Webhead
2001 posts

Uber Geek
+1 received by user: 629

Moderator
Trusted
Lifetime subscriber

  Reply # 1963363 24-Feb-2018 12:04
Send private message

richms:

 

I thought browsers would refuse to sumbit to a http url when on a https page without some warning?

 

 

Never tried to submit, so never got to see if something happened. Might be able to set up a test to see, won't be trying to pay through the form with an invalid card ;)

 

Edit: I see that the first part of the process to pay the fees also does the same thing. Never got a warning (other than the greyed out https) in Chrome.







Webhead
2001 posts

Uber Geek
+1 received by user: 629

Moderator
Trusted
Lifetime subscriber

  Reply # 1963365 24-Feb-2018 12:11
Send private message

jjnz1:

 

@jarledb how did you find this out? What do we have to look for?

 

 

In Chrome the "Secure" mark gets greyed out.

 

 

I see now that both the form where you are sending in the invoice number and the resulting payment page are unsecured. Both pages are on SSL, but the form submits to http (no encryption).

 

The first part (the invoice number) didn't bother me and I thought it could have been an image or something like that making the page show up as unsecured, but when paying and giving out my credit card info I am a lot more alert. So never submitted that form.

 

In Chrome you can use the inspector to see why a page is showing up that way.

 

As you can see, Chrome tells me that the form is insecure.

 

Click to see full size







Webhead
2001 posts

Uber Geek
+1 received by user: 629

Moderator
Trusted
Lifetime subscriber

  Reply # 1963367 24-Feb-2018 12:16
Send private message

Goosey:

 

So rather than publise the alledged insecure form, did you think it would have been a better idea to perhaps notify customs via a letter and also include the minister?

 

Then after such response then publish the result here?

 

The world will change when you will help it.

 

 

Trust me, I sent them an email before writing anything here.

 

That said, if this was something that could be easily exploited in a targeted manner, I might have been a little more restrictive on publishing it.

 

This will catch out anyone that are using free or open wi-fi somewhere (its easy to spoof things like airport wi-fi networks and look at the traffic) and paying through this form.

 

Anyone gathering information at such a place would be able to catch your credit card information. Thats true wether or not they know that NZ Customs have failed in securing their online forms.

 

I am guessing that it would be rather easy to spoof one of Sparks Wi-fi points in a crowded area and do the same thing. So its quite the problem..







Webhead
2001 posts

Uber Geek
+1 received by user: 629

Moderator
Trusted
Lifetime subscriber

  Reply # 1963373 24-Feb-2018 12:30
Send private message

UPDATE: I checked out the payment forms again, and while there are unsecured posts from a form to an http (unsecured) page, this does not seem to include the payment information. So its not the security risk it looked like to begin with, but they really should make sure that everything that goes on in the payment pages are secured.





21115 posts

Uber Geek
+1 received by user: 4206

Trusted
Subscriber

  Reply # 1963485 24-Feb-2018 14:55
Send private message

Some browsers and addons are going crazy with security warnings now popping up all sorts of stuff on http based sites like warnings on login forms not to proceed because its insecure etc. I expect they will get pressured to fix it when people stop using it with the new changes.





Richard rich.ms

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.