Virtually every website should use https:// all the time

Impetus

Any website taking customer feedback, offering user login, providing customer specific information, or selling online should enforce https:// from the outset, for all website pages. This applies to most companies and organisations, not just banks and payment card accepting website.

It is not sufficient to make the login page itself “secure”, because a previous page (to the one that is secure) can be spoofed (eg by a man in the middle attack) and populated with links that re-direct the customer to a hoax page (which looks like the real site), but is instead populated with links and fields that capture the customers’ data (eg payment card numbers, expiry dates. CVV2s, mother’s maiden names, passport/Id numbers, whatever) for the fraudster.

One of the worst cases of this weakness in Ireland is Aer Lingus. When making a reservation, all the data is in the clear during the pages where one selects the flight, and it is only after that point that https:// is used. This is a total breach of personal privacy as to where one is travelling to/from – aside from the downstream payment card risks it opens up. This would allow a man in the middle to take over the reservation at that point and take personal information, payment card details, email address etc and complete the process in fraud mode. It is simple matter to copy the corporate colours and logos from the real site and use them in a fake platform.

Phonewatch (a supposed “security” company), which as a feedback form for customers and others with text in the clear on their website. It would be a simple matter for a hacker to redirect the individual to another site that looks like phonewatch, and ask them a few additional “security questions” to gather alarm de-activation codes, and codes to show phonewatch that the person is in fact their customer when requesting an alarm to be ignored and the Gardai etc not to be advised of the alarm event.

Similar issues apply to the payment card verification processes adopted by Irish banks (ie to outsource the verification process which involves the collection of personal data to a site), and while it is over a secure connection, the browser security certificate shown is not one issued to the bank in question. Again it is very easy for a hoax site to show a bank’s logo copied from the real website. If one was so minded, one could start selling iPhoes for €99 online - just to collect a mass of payment card details - as well as other security questions - your DoB, ID/passport number, mother's maiden name, etc.

28064212

Impetus wrote: »

It is not sufficient to make the login page itself “secure”, because a previous page (to the one that is secure) can be spoofed (eg by a man in the middle attack) and populated with links that re-direct the customer to a hoax page (which looks like the real site), but is instead populated with links and fields that capture the customers’ data (eg payment card numbers, expiry dates. CVV2s, mother’s maiden names, passport/Id numbers, whatever) for the fraudster.

If there's a man in the middle, the fact that one page of the "real" site is http and the next is https makes no difference. They can just spoof the original site from scratch.

solomafioso

https://www.eff.org/https-everywhere

Impetus

28064212 wrote: »

If there's a man in the middle, the fact that one page of the "real" site is http and the next is https makes no difference. They can just spoof the original site from scratch.

https could be used to make the man in the street aware of the difference between serious sites (eg www.aerlingus.ie or www.esb.ie and xxxdating.xxx or whatever). If a person goes to http://www.aerlingus.ie and is re-directed immediately to https://www.aerlingus.ie they get used to seeing the green bar or whatever their choice of browser uses to indicate a secure site. Good browsers not only use green but show the exact legal name of the connected to entity. There is no reason why money accepting sites don't pay for so called "extended validation" certificates (dumb American terminology) to describe a site whose certificate does more than send an email to the purported owner's email address to verify their existence. If someone is doing a man in the middle at that point any decent browser would give a big red warning flag to the user.

Every browser should show the connected to entity big and bold, and in green if the certificate checks out, so even the dumbest PC users (eg Ryanair travellers!) would begin to see something unusual in the event of a hoax man in the middle site. Websites are grossly negligent for not doing this (TLS 1.2) and browser developers are negligent for not making non-secure sites abundantly clear (emphasis of matter) to users..... and may be liable for costs of fraud arising as a result of their negligence. This amounts to several billion € a year worldwide, not to mention time wasting, card replacement costs etc.

And while there may be companies who with or without the employee's consent install fake certificates on their employees machines (doing an in-house man-in-the middle), these entitles are unlikely to be engaged in credit card fraud. Their main concern is to censor the employee, assuming the employee is not intelligent enough to give two fingers to the company and resign forthwith. And sue them to the extent possible for messing with his/her PC or whatever is appropriate in the circumstances.

Rucking_Fetard

Google now looks for https version of a site over the http version.

https://blog.httpwatch.com/2014/07/07/google-has-given-https-a-huge-boost/