Secure website question

tinkerbell

Hey everyone

Just wondering should a website be secure and have either a secure cert or https when you are at the "enter your billing address" stage? Or should it just be secure from the point that you have to enter your credit card info?

Thanks!

ntlbell

if you were entering your details, where would YOU like your details be secure from?

tinkerbell

My billing address I'd say!

tricky D

All cart form(s) fields should be secure.

Also the existence of a cert doesn't mean security, the cert needs to be 'applied' to make the connection https.

mehmeh12

tinkerbell wrote: »

Hey everyone

Just wondering should a website be secure and have either a secure cert or https when you are at the "enter your billing address" stage? Or should it just be secure from the point that you have to enter your credit card info?

Thanks!

Applying for a new permanent tsb account are we? Yes when you do this on the permanent tsb website the part for your name and address will not be secure. I asked a manager of my local branch why this was and he basically fobbed me off. Needless to say ive moved my money to another bank.

BaconZombie

SSL = FAIL

There a ALOT of holes been poked in SSL over the last few months....

mehmeh12 wrote: »

Applying for a new permanent tsb account are we? Yes when you do this on the permanent tsb website the part for your name and address will not be secure. I asked a manager of my local branch why this was and he basically fobbed me off. Needless to say ive moved my money to another bank.

wolfric

BOFH_139 wrote: »

SSL = FAIL

There a ALOT of holes been poked in SSL over the last few months....

Kindly suggest an alternative? I dare say it's more secure then no encryption at all.

I watched a video on ssl stripping... No detection for man in the middle attack... pity.

Why would you bother encrypting your home address? Nobody's going to be sniffing out your network activity and cracking it if they don't at least know your ip. If they know that they can near enough guess where you live anyway... feeling a bit paranoid are we?

coldwood92

Is there a lock in the address bar?

if so ur safe

IF NOt

You= in trouble

BaconZombie

Yes " safe*"

coldwood92 wrote: »

Is there a lock in the address bar?

if so ur safe

IF NOt

You= in trouble

*Your idea of safe may not be the same as other peoples.

probe

coldwood92 wrote: »

Is there a lock in the address bar?

if so ur safe

IF NOt

You= in trouble

You can't trust the padlock in your browser anymore. Man-in-the-middle attack. We are waiting for a fix - which will have to be applied to both servers and every client machine. Higher risk areas for secure browsing are those using WiFi anywhere or Ethernet in public hotspots such as hotels. But even if you have a wired Ethernet network, someone at your ISP could perform the same MITM attack on an SSL connection.

http://www.grc.com/sn/sn-223.htm

You also have to be on the lookout for Moxie Marlinspike's fake "security padlock" :-)

http://www.grc.com/sn/sn-217.htm

probe

tinkerbell wrote: »

Hey everyone

Just wondering should a website be secure and have either a secure cert or https when you are at the "enter your billing address" stage? Or should it just be secure from the point that you have to enter your credit card info?

Thanks!

Aside from the fact that you can't trust HTTPS at the moment, (ie assuming you accept the risk of the security vulnerability outlined in my previous posting), your really need to get a secure page from the start of your relationship with a website where you plan to enter private information. This weakness is a subtle variation of a number of weaknesses that exist.

Let's say you are buying an airline ticket, and you have started your shopping at http://www.myairline.com, anybody who has access to your connection along the pipeline can intercept the page that the airline sends your browser which has to "buy" button - ie the button that causes the connection to change from in the clear to "secure". They can play games relaying. Your secure connection is basically from your browser to the man in the middle. The man in the middle decrypts your card details, billing address, security code, email address any anything else, stores it, and relays it on to the airline. The airline thinks the man in the middle is you. So you end up with a valid reservation, but a copy of your card and other personal details are also relayed to the hacker who might be in China, Ukraine, Russia or wherever!

If you were able to start off with https://www.myairline.com at the start of your search for a flight, the variation of the man in the middle attack would not be possible. When they fix the weakness I described in the previous posting, this weakness will still remain!

tricky D

While the SSL MITM exploit is very real, there is a lot of scaremongering going on. For the general public, the padlock advice is still the best solution going but not perfect. Tbh, I'd be more worried about other weaknesses.

conolan

There is a danger that techies overemphasise security issues (and I've no idea whether the issue above is likely or common).

We all accept risks with security. My house is not secure, but it's secure enough for where I live. My car isn't secure, and making it very secure might cost as much as the value of the car.
My data isn't secure BUT I know there are more people who know how to jemmy open a car door than there are people who can do a man-in-the-middle job.

Sleipnir

Agreed. From the scaremongering posts here, the only real solution is to shut down e-commerce entirely!

Capt'n Midnight

Sleipnir wrote: »

Agreed. From the scaremongering posts here, the only real solution is to shut down e-commerce entirely!

No, the solution is for the banks to accept more of the risk instead of forcing customers to pay up.

AIB had a system with single use credit card numbers, great idea in that the number could only be used once and for up to a certain amount.

coldwood92

Paddlock are still used on websites such as paypal and amzon .co.uk

coldwood92

coldwood92 wrote: »

Paddlock are still used on websites such as paypal and amzon .co.uk

I'm just pointing this out by the way

coldwood92

and twitter

wolfric

coldwood92 wrote: »

Paddlock are still used on websites such as paypal and amzon .co.uk

still? not meaning to be smart but as apposed to moving onto..?