| View previous topic :: View next topic |
| Author |
Message |
r2oo
Guest
|
 Posted: Mon Jul 14, 2014 4:22 am Post subject: How secure |
 |
|
Hi, before I use the service I just wanted some re-assurance on how secure & safe it is. I noticed that there is no H T T P S : / / in the title bar stating a secure connection.
Regards
Adam |
|
| Back to top |
|
 |
Cupid
Joined: 09 Aug 2007
Posts: 7596
Location: Bristol, UK
|
| Posted: Mon Jul 14, 2014 4:51 am Post subject: |
|
|
The target of the 'Log in Now' button is an https link... which is all that is necessary to ensure that your credentials are sent securely... To confirm this, if you understand web programming, you can view the page source of this page in your browser.
The whole site is not accessed via https because then adverts could not be hosted... which is what helps to keep the main service free to all.
This is the code you are looking for:
| Quote: | <form id="form1" name="form1" method="post" action="https://www.gixen.com/home_1.php">
<table width="95%" border="0" align="right" cellspacing="0">
<tr>
<td width="127"><div align="right"><span class="text10_black">eBay username</span></div></td>
<td width="122"><input name="username" type="text" class="text_black" id="username" /></td>
<td width="90" class="text10_black"><div align="right">eBay Password </div></td>
<td width="122"><span class="text10_black">
<input name="password" type="password" class="text_black" id="password" />
</span></td>
<td width="82" class="text10_gray"><label>
<input name="signin" type="hidden" id="signin" value="signin" size="15" class="field" />
<input name="Submit" type="submit" class="dugme" value="Log in Now" />
</label></td>
</tr>
<tr>
<td colspan="5" bgcolor="#CDCDCD" class="text10_black"><span class="text10_black">Login is SSL protected. By clicking on "Log in Now" you agree to gixen.com</span> terms of usage.</td>
</tr>
</table>
</form> |
_________________
Mark |
|
| Back to top |
|
|
Guest
|
| Posted: Fri Jul 08, 2016 10:47 pm Post subject: |
|
|
Unfortunately this isn't really true. Without HTTPS on the page that generates the form, an attacker in a MITM position could rewrite the form to send credentials elsewhere.
HTTPS is needed on both the form supplying the login page AND the destination page to have any measure of security. |
|
| Back to top |
|
|
Cupid
Joined: 09 Aug 2007
Posts: 7596
Location: Bristol, UK
|
| Posted: Sat Jul 09, 2016 1:39 am Post subject: |
|
|
Hijacking the connection you have with your service provider, while technically possible, is extremely rare and dependant on overcoming other security measures other than the https encryption on the link to a specific website.
If it were achieved, the 'Man In the Middle' could just as easily mimic the https page that contains the login form, and the vast majority of users would never notice... and obtain the credentials anyway... via people logging into Ebay itself without them needing to have used Gixen at all, that is certainly what I would do if I was formulating a strategy to obtain Ebay credentials... So, I don't think your analysis actually stands up to argument... and I'm sure it has never even been attempted with Gixen, let alone achieved.
Pretty much everyone is already aware that you have to be extra careful with all your site usage when using open Wifi, and unsecured public computers and networks anyway... and this is why.
_________________
Mark |
|
| Back to top |
|
|
Gixen
Advertisements
|
| Posted: Sat Jul 09, 2016 1:39 am Post subject: |
|
|
|
|
| Back to top |
|
|
Guest
|
| Posted: Tue Jul 12, 2016 11:27 am Post subject: |
|
|
While a MITM could hijack the connection, HTTPS would prevent this (or more specifically, would at least warn me)
Is there a compelling reason to force delivery the login page over HTTP rather than HTTPS? |
|
| Back to top |
|
|
Cupid
Joined: 09 Aug 2007
Posts: 7596
Location: Bristol, UK
|
| Posted: Wed Jul 13, 2016 6:03 am Post subject: |
|
|
The compelling reason is that the login form is presented on every page.
Many of those pages also host adverts, which help support the platform and enable the free service to remain available.
In order for those adverts to be possible the pages have to be http not https.
As indicated above the actual credentials are sent securely... I am still of the view that your argument is not sufficient to warrant or require a change in policy which is in line with many other secure websites.
_________________
Mark |
|
| Back to top |
|
|
|
Search
