Username
Password
Login is SSL protected. By clicking on "Log in Now" you agree to gixen.com terms of usage.
Forum is available in English only.


   SearchSearch     

How secure

 
Post new topic   Reply to topic    Gixen.com Forum Index -> Impressions
View previous topic :: View next topic  
Author Message
r2oo
Guest





PostPosted: Mon Jul 14, 2014 4:22 am    Post subject: How secure Reply with quote

Hi, before I use the service I just wanted some re-assurance on how secure & safe it is. I noticed that there is no H T T P S : / / in the title bar stating a secure connection.

Regards
Adam
Back to top
Cupid



Joined: 09 Aug 2007
Posts: 5638
Location: Bristol, UK

PostPosted: Mon Jul 14, 2014 4:51 am    Post subject: Reply with quote

The target of the 'Log in Now' button is an https link... which is all that is necessary to ensure that your credentials are sent securely... To confirm this, if you understand web programming, you can view the page source of this page in your browser.

The whole site is not accessed via https because then adverts could not be hosted... which is what helps to keep the main service free to all.

This is the code you are looking for:

Quote:
<form id="form1" name="form1" method="post" action="https://www.gixen.com/home_1.php">
<table width="95%" border="0" align="right" cellspacing="0">
<tr>
<td width="127"><div align="right"><span class="text10_black">eBay username</span></div></td>
<td width="122"><input name="username" type="text" class="text_black" id="username" /></td>
<td width="90" class="text10_black"><div align="right">eBay Password </div></td>
<td width="122"><span class="text10_black">
<input name="password" type="password" class="text_black" id="password" />
</span></td>
<td width="82" class="text10_gray"><label>
<input name="signin" type="hidden" id="signin" value="signin" size="15" class="field" />
<input name="Submit" type="submit" class="dugme" value="Log in Now" />
</label></td>
</tr>
<tr>
<td colspan="5" bgcolor="#CDCDCD" class="text10_black"><span class="text10_black">Login is SSL protected. By clicking on &quot;Log in Now&quot; you agree to gixen.com</span> terms of usage.</td>
</tr>
</table>
</form>

_________________
Mark
Back to top
View user's profile Send private message
Guest






PostPosted: Fri Jul 08, 2016 10:47 pm    Post subject: Reply with quote

Unfortunately this isn't really true. Without HTTPS on the page that generates the form, an attacker in a MITM position could rewrite the form to send credentials elsewhere.

HTTPS is needed on both the form supplying the login page AND the destination page to have any measure of security.
Back to top
Cupid



Joined: 09 Aug 2007
Posts: 5638
Location: Bristol, UK

PostPosted: Sat Jul 09, 2016 1:39 am    Post subject: Reply with quote

Hijacking the connection you have with your service provider, while technically possible, is extremely rare and dependant on overcoming other security measures other than the https encryption on the link to a specific website.

If it were achieved, the 'Man In the Middle' could just as easily mimic the https page that contains the login form, and the vast majority of users would never notice... and obtain the credentials anyway... via people logging into Ebay itself without them needing to have used Gixen at all, that is certainly what I would do if I was formulating a strategy to obtain Ebay credentials... So, I don't think your analysis actually stands up to argument... and I'm sure it has never even been attempted with Gixen, let alone achieved.

Pretty much everyone is already aware that you have to be extra careful with all your site usage when using open Wifi, and unsecured public computers and networks anyway... and this is why.
_________________
Mark
Back to top
View user's profile Send private message
Guest






PostPosted: Tue Jul 12, 2016 11:27 am    Post subject: Reply with quote

While a MITM could hijack the connection, HTTPS would prevent this (or more specifically, would at least warn me)

Is there a compelling reason to force delivery the login page over HTTP rather than HTTPS?
Back to top
Cupid



Joined: 09 Aug 2007
Posts: 5638
Location: Bristol, UK

PostPosted: Wed Jul 13, 2016 6:03 am    Post subject: Reply with quote

The compelling reason is that the login form is presented on every page.

Many of those pages also host adverts, which help support the platform and enable the free service to remain available.

In order for those adverts to be possible the pages have to be http not https.

As indicated above the actual credentials are sent securely... I am still of the view that your argument is not sufficient to warrant or require a change in policy which is in line with many other secure websites.
_________________
Mark
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Gixen.com Forum Index -> Impressions All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

© 2015 Gixen.com. Forum powered by phpBB © 2001, 2005 phpBB Group.