Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Security (http://www.velocityreviews.com/forums/f38-computer-security.html)
-   -   Is this a secure site? (http://www.velocityreviews.com/forums/t306290-is-this-a-secure-site.html)

speicher 01-17-2005 05:25 PM

Is this a secure site?
 
I was under the impression that if the lock did not arrear on the
bottom of the browser that it was not secure to send personal
information. the following site does not show this icon. Is this page
secure?

http://www.chryslerfinancial.com/index.jsp

Ghost 01-17-2005 05:45 PM

Re: Is this a secure site?
 
* On Mon, 17 Jan 2005 10:25:01 -0700, speicher wrote:
> I was under the impression that if the lock did not arrear on the
> bottom of the browser that it was not secure to send personal
> information. the following site does not show this icon. Is this page
> secure?
>
> http://www.chryslerfinancial.com/index.jsp



This page is not secure. By secure I mean that any data sent to this
site will not be encrypted. Like for example your Social Security
Number and Account Number. Secured sites use the SSL protocol to secure
data and HTTP over SSL is usually called https. This means that the URL
should start with https:// not http:// like the URL you posted. Make
sure also that you do not get any warnings when accessing an HTTPS site
since an authenticated site should be certified by a known CA such as
Verisign. Hover with your mouse over the padlock and it you should see a
"signed by <company>" where that company should be someone listed in
your root ca's on your PC.

I would recommend not sending any confidential information to the above
URL.

Nick Roberts 01-17-2005 05:47 PM

Re: Is this a secure site?
 
speicher <rspei@exciter(emove).com> wrote:

> I was under the impression that if the lock did not arrear on the bottom
> of the browser that it was not secure to send personal information. the
> following site does not show this icon. Is this page secure?
>
> http://www.chryslerfinancial.com/index.jsp


This issue can be confusing, but YES, the site is secure, inasmuch as the
sensitive information you enter (your social security number and account
number together) is sent by SSL (Secure Sockets Layer), encrypted so no-one
else but Chrysler can see it.

You (and I) can tell this by looking at the 'page source' for the web page.
The relevant 'input' boxes are inside a 'form' structure, and you will
notice that the URL in the 'action' of this form has an "https:" prefix.
This means that the information will be sent to Chrysler via SSL.

It would perhaps be useful if browsers had some feature to make this fact
explicit to users at the outset (perhaps a little padlock next to the input
box).

The padlock displayed in the status bar by browsers signifies that the web
page being displayed was sent securely.

HTH

--
Nick Roberts

Martin 01-17-2005 06:27 PM

Re: Is this a secure site?
 
speicher wrote:
> I was under the impression that if the lock did not arrear on the
> bottom of the browser that it was not secure to send personal
> information. the following site does not show this icon. Is this page
> secure?
>
> http://www.chryslerfinancial.com/index.jsp


no, but you could change the http and put https interestingly, you get a
different web page when you do that

Why do they need your social security number though? That's more
worrying isn't it?

Vanguard 01-17-2005 06:41 PM

Re: Is this a secure site?
 
"speicher" <rspei@exciter(emove).com> wrote in message
news:s1tnu01jlubjsmsafdigm6lgrpt70hnnuq@4ax.com...
>I was under the impression that if the lock did not arrear on the
> bottom of the browser that it was not secure to send personal
> information. the following site does not show this icon. Is this page
> secure?
>
> http://www.chryslerfinancial.com/index.jsp



Yes, the data is secured using SSL. How? The action on the form on
that page submits its data to an HTTPS:// site. If you look at the
source for that login page, you'll see:

<form method="post"
action="https://www.chryslerfinancial.com/account/loginManager.jsp"
name="theForm">

The action says where to submit the data you entered on the first page.
That first page is *local*. It is what got rendered on YOUR computer so
any data you enter is only on YOUR computer. Once you submit the data,
the action says to connect to the HTTPS:// page BEFORE it sends
anything.

Why do they do this? Because not everyone visiting that page will
necessarily log into an account. There is no point in wasting the
overhead to estable an SSL connection when it won't be needed because
the visitor won't be logging in. It's nice on the user end to see the
padlock to know the connection is secured (BEFORE you even enter your
login credentials) but it's harder on the site to provide superfluous
SSL connects. It would be appreciated if sites that do this would
notify the visitor that their login will be secured when it gets sent.

If you look at http://www.hotmail.com, it is also a secured login (using
Passport) but you don't get a lock icon in the status bar for that page,
either, because SSL isn't used when you visit the page, but SSL does get
used for where your login credentials get sent.

--
__________________________________________________ _______________
Post your replies to the newsgroup. Share with others.
E-mail: vanguard_help AT yahoo.com (append "#NEWS#" to Subject)
__________________________________________________ _______________


speicher 01-17-2005 10:45 PM

Re: Is this a secure site?
 
On Mon, 17 Jan 2005 12:41:59 -0600, "Vanguard" <see_signature> wrote:

>"speicher" <rspei@exciter(emove).com> wrote in message
>news:s1tnu01jlubjsmsafdigm6lgrpt70hnnuq@4ax.com.. .
>>I was under the impression that if the lock did not arrear on the
>> bottom of the browser that it was not secure to send personal
>> information. the following site does not show this icon. Is this page
>> secure?
>>
>> http://www.chryslerfinancial.com/index.jsp

>
>
>Yes, the data is secured using SSL. How? The action on the form on
>that page submits its data to an HTTPS:// site. If you look at the
>source for that login page, you'll see:
>
><form method="post"
>action="https://www.chryslerfinancial.com/account/loginManager.jsp"
>name="theForm">
>
>The action says where to submit the data you entered on the first page.
>That first page is *local*. It is what got rendered on YOUR computer so
>any data you enter is only on YOUR computer. Once you submit the data,
>the action says to connect to the HTTPS:// page BEFORE it sends
>anything.
>
>Why do they do this? Because not everyone visiting that page will
>necessarily log into an account. There is no point in wasting the
>overhead to estable an SSL connection when it won't be needed because
>the visitor won't be logging in. It's nice on the user end to see the
>padlock to know the connection is secured (BEFORE you even enter your
>login credentials) but it's harder on the site to provide superfluous
>SSL connects. It would be appreciated if sites that do this would
>notify the visitor that their login will be secured when it gets sent.
>
>If you look at http://www.hotmail.com, it is also a secured login (using
>Passport) but you don't get a lock icon in the status bar for that page,
>either, because SSL isn't used when you visit the page, but SSL does get
>used for where your login credentials get sent.

Thanks for the information. I learned a lot. I did email Chrysler a
while back and they did not elaberate as to why the page was secure.
All they said it that it was indeed secure.

Thanks
bob speicher

Ghost 01-18-2005 10:23 AM

Re: Is this a secure site?
 
* On Mon, 17 Jan 2005 18:27:44 +0000 (UTC), Martin wrote:
> speicher wrote:
>> I was under the impression that if the lock did not arrear on the
>> bottom of the browser that it was not secure to send personal
>> information. the following site does not show this icon. Is this page
>> secure?
>>
>> http://www.chryslerfinancial.com/index.jsp

>
> no, but you could change the http and put https interestingly, you get a
> different web page when you do that
>
> Why do they need your social security number though? That's more
> worrying isn't it?


Most american companies use social security as a primary key in their
user databases. The result of this is catastrophic.... a database is
compramised and suddenly the intruders have enough information to commit
Identiy Fraud

wimbo 01-18-2005 08:58 PM

Re: Is this a secure site?
 
Nick Roberts wrote:
> speicher <rspei@exciter(emove).com> wrote:
>
>
>>I was under the impression that if the lock did not arrear on the bottom
>>of the browser that it was not secure to send personal information. the
>>following site does not show this icon. Is this page secure?
>>
>>http://www.chryslerfinancial.com/index.jsp

>
>
> This issue can be confusing, but YES, the site is secure, inasmuch as the
> sensitive information you enter (your social security number and account
> number together) is sent by SSL (Secure Sockets Layer), encrypted so no-one
> else but Chrysler can see it.


Since no-one will actually examine the code it's just sloppy to to use
the ssl part AFTER you entered the information. The page with the form
filelds should also have been protected.

>
> You (and I) can tell this by looking at the 'page source' for the web page.
> The relevant 'input' boxes are inside a 'form' structure, and you will
> notice that the URL in the 'action' of this form has an "https:" prefix.
> This means that the information will be sent to Chrysler via SSL.
>
> It would perhaps be useful if browsers had some feature to make this fact
> explicit to users at the outset (perhaps a little padlock next to the input
> box).


Padlocks (as in images) give me a feeling of something fishy. Most
phishing sites have text and images suggesting that the site is secure.
They even have the so-called 'Secure Site' seals from Verisign, which is
like everything else *bogus*.

> The padlock displayed in the status bar by browsers signifies that the web
> page being displayed was sent securely.
>
> HTH
>


But that's AFTER you submitted it. Some people like to know up-front if
it's safe.


Wimbo


wimbo 01-18-2005 09:13 PM

Re: Is this a secure site?
 
> If you look at http://www.hotmail.com, it is also a secured login (using
> Passport) but you don't get a lock icon in the status bar for that page,
> either, because SSL isn't used when you visit the page, but SSL does get
> used for where your login credentials get sent.
>


hotmail is 'mail program' just like outlook, mail, thunderbird etc. All
these programs use the insecure smtp and pop3 protocols for accessing
one's mail. These protocols transmit username and password in plain text
over the internet to the mail server. The only difference is that one
would normally access the mailserver from the current ISP. This means
that the lines are short and that the chance of intercepting the
credentials is relatively low.

I must mention that more and more mailservers have the possibility of
accessing and sending mail via SSL and TLS.

Hotmail uses a small part of SSL in the authentication scheme, because
of the load on the servers, and out of convenience. If every
authentication request will be done with the normal use of SSL. Which
means that also the login page will be encrypted. If this is done, every
piece of advertisement would have to be accessed via SSL (which might
become a performance issue on the client, because it needs to decode the
flashes, animated gifs etc.). If this isn't done, the user will be
presented with a series of warning about unsecure items on the page.

So for the sake of logistics, server loads, user comfort the hotmail
login scheme only uses ssl to transmit the username/password combination.

Personally, I wouldn't leave any piece of info on this page. The company
doesn't create a feeling of security for my. The use of SSL might have
changed that for me. One shouldn't need to check the sourcecode of a
page to see if it's legit (so to say)

Wimbo


Interfecus 01-21-2005 01:50 AM

Re: Is this a secure site?
 
On Mon, 17 Jan 2005 12:41:59 -0600, Vanguard <see_signature> wrote:

> Why do they do this? Because not everyone visiting that page will
> necessarily log into an account. There is no point in wasting the
> overhead to estable an SSL connection when it won't be needed because
> the visitor won't be logging in. It's nice on the user end to see the
> padlock to know the connection is secured (BEFORE you even enter your
> login credentials) but it's harder on the site to provide superfluous
> SSL connects. It would be appreciated if sites that do this would
> notify the visitor that their login will be secured when it gets sent.


The page the information is submitted to is secure, but the page you send
it from isn't. This means that a passive attack on the system can't be
performed, but it doesn't prevent an attacker who is capable of performing
an active attack by intercepting the original login form as it is sent to
your computer and sending you an altered copy containing a different
address to send your details to. It could be sent to a server controlled
by the attacker who could then harvest these details.

Securing the original login form would give protection against this
approach since the attacker couldn't authenticate themselves. The
alternative is to check where the form is going each time (slow, many
browsers have no easy way to do this) or to set up your browser (if
possible) to alert you when the data in a form are submitted to a
different server than the one which the form came from.

P.S. Remember that SSL isn't enough by itself. You should check that
you're actually on the right site and if the URL looks at all suspicious
you should always check that the certificate provided by the site was
actually issued to the company who you want to provide details to. It
doesn't take long to do these things and makes a serious difference to
security.


All times are GMT. The time now is 08:35 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.