Is this a secure site?

Discussion in 'Computer Security' started by speicher, Jan 17, 2005.

  1. speicher

    speicher Guest

    I was under the impression that if the lock did not arrear on the
    bottom of the browser that it was not secure to send personal
    information. the following site does not show this icon. Is this page
    secure?

    http://www.chryslerfinancial.com/index.jsp
    speicher, Jan 17, 2005
    #1
    1. Advertising

  2. speicher

    Ghost Guest

    * On Mon, 17 Jan 2005 10:25:01 -0700, speicher wrote:
    > I was under the impression that if the lock did not arrear on the
    > bottom of the browser that it was not secure to send personal
    > information. the following site does not show this icon. Is this page
    > secure?
    >
    > http://www.chryslerfinancial.com/index.jsp



    This page is not secure. By secure I mean that any data sent to this
    site will not be encrypted. Like for example your Social Security
    Number and Account Number. Secured sites use the SSL protocol to secure
    data and HTTP over SSL is usually called https. This means that the URL
    should start with https:// not http:// like the URL you posted. Make
    sure also that you do not get any warnings when accessing an HTTPS site
    since an authenticated site should be certified by a known CA such as
    Verisign. Hover with your mouse over the padlock and it you should see a
    "signed by <company>" where that company should be someone listed in
    your root ca's on your PC.

    I would recommend not sending any confidential information to the above
    URL.
    Ghost, Jan 17, 2005
    #2
    1. Advertising

  3. speicher

    Nick Roberts Guest

    speicher <rspei@exciter(emove).com> wrote:

    > I was under the impression that if the lock did not arrear on the bottom
    > of the browser that it was not secure to send personal information. the
    > following site does not show this icon. Is this page secure?
    >
    > http://www.chryslerfinancial.com/index.jsp


    This issue can be confusing, but YES, the site is secure, inasmuch as the
    sensitive information you enter (your social security number and account
    number together) is sent by SSL (Secure Sockets Layer), encrypted so no-one
    else but Chrysler can see it.

    You (and I) can tell this by looking at the 'page source' for the web page.
    The relevant 'input' boxes are inside a 'form' structure, and you will
    notice that the URL in the 'action' of this form has an "https:" prefix.
    This means that the information will be sent to Chrysler via SSL.

    It would perhaps be useful if browsers had some feature to make this fact
    explicit to users at the outset (perhaps a little padlock next to the input
    box).

    The padlock displayed in the status bar by browsers signifies that the web
    page being displayed was sent securely.

    HTH

    --
    Nick Roberts
    Nick Roberts, Jan 17, 2005
    #3
  4. speicher

    Martin Guest

    speicher wrote:
    > I was under the impression that if the lock did not arrear on the
    > bottom of the browser that it was not secure to send personal
    > information. the following site does not show this icon. Is this page
    > secure?
    >
    > http://www.chryslerfinancial.com/index.jsp


    no, but you could change the http and put https interestingly, you get a
    different web page when you do that

    Why do they need your social security number though? That's more
    worrying isn't it?
    Martin, Jan 17, 2005
    #4
  5. speicher

    Vanguard Guest

    "speicher" <rspei@exciter(emove).com> wrote in message
    news:...
    >I was under the impression that if the lock did not arrear on the
    > bottom of the browser that it was not secure to send personal
    > information. the following site does not show this icon. Is this page
    > secure?
    >
    > http://www.chryslerfinancial.com/index.jsp



    Yes, the data is secured using SSL. How? The action on the form on
    that page submits its data to an HTTPS:// site. If you look at the
    source for that login page, you'll see:

    <form method="post"
    action="https://www.chryslerfinancial.com/account/loginManager.jsp"
    name="theForm">

    The action says where to submit the data you entered on the first page.
    That first page is *local*. It is what got rendered on YOUR computer so
    any data you enter is only on YOUR computer. Once you submit the data,
    the action says to connect to the HTTPS:// page BEFORE it sends
    anything.

    Why do they do this? Because not everyone visiting that page will
    necessarily log into an account. There is no point in wasting the
    overhead to estable an SSL connection when it won't be needed because
    the visitor won't be logging in. It's nice on the user end to see the
    padlock to know the connection is secured (BEFORE you even enter your
    login credentials) but it's harder on the site to provide superfluous
    SSL connects. It would be appreciated if sites that do this would
    notify the visitor that their login will be secured when it gets sent.

    If you look at http://www.hotmail.com, it is also a secured login (using
    Passport) but you don't get a lock icon in the status bar for that page,
    either, because SSL isn't used when you visit the page, but SSL does get
    used for where your login credentials get sent.

    --
    _________________________________________________________________
    Post your replies to the newsgroup. Share with others.
    E-mail: vanguard_help AT yahoo.com (append "#NEWS#" to Subject)
    _________________________________________________________________
    Vanguard, Jan 17, 2005
    #5
  6. speicher

    speicher Guest

    On Mon, 17 Jan 2005 12:41:59 -0600, "Vanguard" <see_signature> wrote:

    >"speicher" <rspei@exciter(emove).com> wrote in message
    >news:...
    >>I was under the impression that if the lock did not arrear on the
    >> bottom of the browser that it was not secure to send personal
    >> information. the following site does not show this icon. Is this page
    >> secure?
    >>
    >> http://www.chryslerfinancial.com/index.jsp

    >
    >
    >Yes, the data is secured using SSL. How? The action on the form on
    >that page submits its data to an HTTPS:// site. If you look at the
    >source for that login page, you'll see:
    >
    ><form method="post"
    >action="https://www.chryslerfinancial.com/account/loginManager.jsp"
    >name="theForm">
    >
    >The action says where to submit the data you entered on the first page.
    >That first page is *local*. It is what got rendered on YOUR computer so
    >any data you enter is only on YOUR computer. Once you submit the data,
    >the action says to connect to the HTTPS:// page BEFORE it sends
    >anything.
    >
    >Why do they do this? Because not everyone visiting that page will
    >necessarily log into an account. There is no point in wasting the
    >overhead to estable an SSL connection when it won't be needed because
    >the visitor won't be logging in. It's nice on the user end to see the
    >padlock to know the connection is secured (BEFORE you even enter your
    >login credentials) but it's harder on the site to provide superfluous
    >SSL connects. It would be appreciated if sites that do this would
    >notify the visitor that their login will be secured when it gets sent.
    >
    >If you look at http://www.hotmail.com, it is also a secured login (using
    >Passport) but you don't get a lock icon in the status bar for that page,
    >either, because SSL isn't used when you visit the page, but SSL does get
    >used for where your login credentials get sent.

    Thanks for the information. I learned a lot. I did email Chrysler a
    while back and they did not elaberate as to why the page was secure.
    All they said it that it was indeed secure.

    Thanks
    bob speicher
    speicher, Jan 17, 2005
    #6
  7. speicher

    Ghost Guest

    * On Mon, 17 Jan 2005 18:27:44 +0000 (UTC), Martin wrote:
    > speicher wrote:
    >> I was under the impression that if the lock did not arrear on the
    >> bottom of the browser that it was not secure to send personal
    >> information. the following site does not show this icon. Is this page
    >> secure?
    >>
    >> http://www.chryslerfinancial.com/index.jsp

    >
    > no, but you could change the http and put https interestingly, you get a
    > different web page when you do that
    >
    > Why do they need your social security number though? That's more
    > worrying isn't it?


    Most american companies use social security as a primary key in their
    user databases. The result of this is catastrophic.... a database is
    compramised and suddenly the intruders have enough information to commit
    Identiy Fraud
    Ghost, Jan 18, 2005
    #7
  8. speicher

    wimbo Guest

    Nick Roberts wrote:
    > speicher <rspei@exciter(emove).com> wrote:
    >
    >
    >>I was under the impression that if the lock did not arrear on the bottom
    >>of the browser that it was not secure to send personal information. the
    >>following site does not show this icon. Is this page secure?
    >>
    >>http://www.chryslerfinancial.com/index.jsp

    >
    >
    > This issue can be confusing, but YES, the site is secure, inasmuch as the
    > sensitive information you enter (your social security number and account
    > number together) is sent by SSL (Secure Sockets Layer), encrypted so no-one
    > else but Chrysler can see it.


    Since no-one will actually examine the code it's just sloppy to to use
    the ssl part AFTER you entered the information. The page with the form
    filelds should also have been protected.

    >
    > You (and I) can tell this by looking at the 'page source' for the web page.
    > The relevant 'input' boxes are inside a 'form' structure, and you will
    > notice that the URL in the 'action' of this form has an "https:" prefix.
    > This means that the information will be sent to Chrysler via SSL.
    >
    > It would perhaps be useful if browsers had some feature to make this fact
    > explicit to users at the outset (perhaps a little padlock next to the input
    > box).


    Padlocks (as in images) give me a feeling of something fishy. Most
    phishing sites have text and images suggesting that the site is secure.
    They even have the so-called 'Secure Site' seals from Verisign, which is
    like everything else *bogus*.

    > The padlock displayed in the status bar by browsers signifies that the web
    > page being displayed was sent securely.
    >
    > HTH
    >


    But that's AFTER you submitted it. Some people like to know up-front if
    it's safe.


    Wimbo
    wimbo, Jan 18, 2005
    #8
  9. speicher

    wimbo Guest

    > If you look at http://www.hotmail.com, it is also a secured login (using
    > Passport) but you don't get a lock icon in the status bar for that page,
    > either, because SSL isn't used when you visit the page, but SSL does get
    > used for where your login credentials get sent.
    >


    hotmail is 'mail program' just like outlook, mail, thunderbird etc. All
    these programs use the insecure smtp and pop3 protocols for accessing
    one's mail. These protocols transmit username and password in plain text
    over the internet to the mail server. The only difference is that one
    would normally access the mailserver from the current ISP. This means
    that the lines are short and that the chance of intercepting the
    credentials is relatively low.

    I must mention that more and more mailservers have the possibility of
    accessing and sending mail via SSL and TLS.

    Hotmail uses a small part of SSL in the authentication scheme, because
    of the load on the servers, and out of convenience. If every
    authentication request will be done with the normal use of SSL. Which
    means that also the login page will be encrypted. If this is done, every
    piece of advertisement would have to be accessed via SSL (which might
    become a performance issue on the client, because it needs to decode the
    flashes, animated gifs etc.). If this isn't done, the user will be
    presented with a series of warning about unsecure items on the page.

    So for the sake of logistics, server loads, user comfort the hotmail
    login scheme only uses ssl to transmit the username/password combination.

    Personally, I wouldn't leave any piece of info on this page. The company
    doesn't create a feeling of security for my. The use of SSL might have
    changed that for me. One shouldn't need to check the sourcecode of a
    page to see if it's legit (so to say)

    Wimbo
    wimbo, Jan 18, 2005
    #9
  10. speicher

    Interfecus Guest

    On Mon, 17 Jan 2005 12:41:59 -0600, Vanguard <see_signature> wrote:

    > Why do they do this? Because not everyone visiting that page will
    > necessarily log into an account. There is no point in wasting the
    > overhead to estable an SSL connection when it won't be needed because
    > the visitor won't be logging in. It's nice on the user end to see the
    > padlock to know the connection is secured (BEFORE you even enter your
    > login credentials) but it's harder on the site to provide superfluous
    > SSL connects. It would be appreciated if sites that do this would
    > notify the visitor that their login will be secured when it gets sent.


    The page the information is submitted to is secure, but the page you send
    it from isn't. This means that a passive attack on the system can't be
    performed, but it doesn't prevent an attacker who is capable of performing
    an active attack by intercepting the original login form as it is sent to
    your computer and sending you an altered copy containing a different
    address to send your details to. It could be sent to a server controlled
    by the attacker who could then harvest these details.

    Securing the original login form would give protection against this
    approach since the attacker couldn't authenticate themselves. The
    alternative is to check where the form is going each time (slow, many
    browsers have no easy way to do this) or to set up your browser (if
    possible) to alert you when the data in a form are submitted to a
    different server than the one which the form came from.

    P.S. Remember that SSL isn't enough by itself. You should check that
    you're actually on the right site and if the URL looks at all suspicious
    you should always check that the certificate provided by the site was
    actually issued to the company who you want to provide details to. It
    doesn't take long to do these things and makes a serious difference to
    security.
    Interfecus, Jan 21, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. KerplunKuK

    Secure and non secure warnings

    KerplunKuK, Aug 24, 2004, in forum: Computer Support
    Replies:
    8
    Views:
    532
    Blinky the Shark
    Aug 24, 2004
  2. Miss Mary
    Replies:
    1
    Views:
    1,439
    sean.archer
    Sep 21, 2007
  3. Replies:
    0
    Views:
    559
  4. Replies:
    0
    Views:
    605
  5. cade

    Secure Auditor secure your windows

    cade, Apr 28, 2008, in forum: Computer Security
    Replies:
    0
    Views:
    477
Loading...

Share This Page