Author Topic: Secure URLs  (Read 749 times)

0 Members and 1 Guest are viewing this topic.

Offline Mjolinor

  • Frequent Contributor
  • **
  • Posts: 305
  • Country: gb
Secure URLs
« on: June 22, 2019, 09:40:46 am »

I was just renewing my Direct Line car insurance online.

This involves a automatically popping up chat window from a HTTPS URL. During this chat he opens another pop up window that appears next to the original chat window into which I am supposed to enter my card details.

Are these pop up windows covered by the original HTTPS certificate?

I do realise that everyone should know stuff like this but I didn't so I refused to enter my details. The chat guy kept telling me it is secure but so did the Nigerian that told me an African prince had left me millions of £.

 

Offline mariush

  • Super Contributor
  • ***
  • Posts: 3958
  • Country: ro
  • .
Re: Secure URLs
« Reply #1 on: June 22, 2019, 09:49:43 am »
A good browser will show the address bar even on popups. Or you can right click on title bar and check "show address bar" , "show menu bar" etc

For example, here's the "Manage attachments" on jonnyguru.com forums ... I see the address bar and I can click on the I logo to get information about security :

 

Offline Bob Moore

  • Contributor
  • Posts: 9
  • Country: tw
    • TITOMA
Re: Secure URLs
« Reply #2 on: March 18, 2020, 06:27:09 am »
I usually check for the domain, if it's the same as the one on the main page it should be okay. I've never seen any attempt on stealing someone's information on a chat window, on pop-ups that redirect to other sites yes.
Best,
Bob Moore
 

Offline rdl

  • Super Contributor
  • ***
  • Posts: 2987
  • Country: us
Re: Secure URLs
« Reply #3 on: March 18, 2020, 08:51:07 am »
Seriously? They expected you to enter credit card numbers in a pop up window?
 

Offline electrolust

  • Supporter
  • ****
  • Posts: 423
  • Country: us
Re: Secure URLs
« Reply #4 on: July 07, 2020, 08:05:24 pm »

Are these pop up windows covered by the original HTTPS certificate?


who cares? you are covered to max £50 liability on your CC, by law. most issuers extend that to £0.

nobody is stealing CC data in transit, they are stealing stored data. https isn't protecting you, and neither does it matter if it's the same site/cert or not. your insurer's stored data is just as likely to get popped (actually more so) than an independent CC processor's.

if you must, have 2 CC. One for recurring payments only, one for all others. That way when the main one is compromised, at least you don't have to re-do your recurring payments.

it's just misplaced worry.
 

Offline golden_labels

  • Regular Contributor
  • *
  • Posts: 185
  • Country: pl
Re: Secure URLs
« Reply #5 on: July 07, 2020, 10:41:55 pm »
Are these pop up windows covered by the original HTTPS certificate?
Those two things are unrelated. The only thing that is important is if the page in the pop-up window is using the same certificate, if the target domain receiving your data is using the same certificate, and if every resourced (in particular scripts) used in that pop-up are using the same certificate. The second and third one may be limited by the Content-Security-Policy header, the first one may only be checked as marish has explained it.

Seriously? They expected you to enter credit card numbers in a pop up window?
You have never seen that? Then let me tell you a little horror story! Some payment services require you to enter your credentials in an iframe embedded within another party’s website. No sane method verifying who receives the data before it is sent.

Worth watching: Calling Bullshit — protect your friends and yourself from bullshit!
 

Offline golden_labels

  • Regular Contributor
  • *
  • Posts: 185
  • Country: pl
Re: Secure URLs
« Reply #6 on: Yesterday at 08:23:00 am »
nobody is stealing CC data in transit, they are stealing stored data. https isn't protecting you, and neither does it matter if it's the same site/cert or not. your insurer's stored data is just as likely to get popped (actually more so) than an independent CC processor's.
No one? So what are doing those people, who have stolen credit card data from websites of 8 US cities — in transit, not stored? That particular malware is observed in the wild for over a year now.

Note: TLS connection alone would not prevent that, as malware was served from a compromised server. I’m countering this particular claim.
Worth watching: Calling Bullshit — protect your friends and yourself from bullshit!
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf