Https zone partially encrypted: security issue

UnseenUnseen Posts: 601
edited December 2012 in The Commons

Since yesterday I see that the https zone is partially encrypted because when I log in I see that the padlock does not display in Firefox 17.01. I have checked the images but all the links start with https.

I have tried with IE 9 (with latest update) and when I enter the https zone I am told that only the encrypted data are displayed. There is an option allowing to display all the data (encrypted and non encrypted) but when I select it I see no difference.

I therefore assume that the security issue is not related to the images but to something else.

It would be very nice if one of the administrators could forward the information to the website technicians...

I have submitted no ticket since it seems that it is impossible to contact the website support via the help desk...

Thank you very much.

HTTPS.png
1332 x 174 - 146K
Post edited by Unseen on

Comments

  • DaremoK3DaremoK3 Posts: 798
    edited December 1969

    I noticed this too yesterday (Firefox 15.0.1) when I tried to log in to PM a client.

    I almost didn't log in at all, but I really needed to update my client, so against my better judgement I submitted my log-in info on this unsecured platform.

    I thought it was just me, or a glitch, so I refreshed the page close to twenty times, tried going to log-in page from different areas of the site, hand typed in the address, and even rebooted Firefox. All to no avail.

    Firefox told me that the page was unsecured, and data transferred (log in identity and password) could be intercepted in transit.

    I felt very uneasy about logging in (and again tonight), but thought I was just being paranoid. But, now since you confirmed this, I am fully feeling paranoid.

    Guess it's time to change my info.

    I second the request for DAZ guru's to address this matter. Yeah, it's not my bank log-in, but it could still lead to issues.

  • cosmo71cosmo71 Posts: 3,609
    edited December 1969

    Wilfred said:
    Since yesterday I see that the https zone is partially encrypted because when I log in I see that the padlock does not display in Firefox 17.01. I have checked the images but all the links start with https.

    I have tried with IE 9 (with latest update) and when I enter the https zone I am told that only the encrypted data are displayed. There is an option allowing to display all the data (encrypted and non encrypted) but when I select it I see no difference.

    I therefore assume that the security issue is not related to the images but to something else.

    It would be very nice if one of the administrators could forward the information to the website technicians...

    I have submitted no ticket since it seems that it is impossible to contact the website support via the help desk...

    Thank you very much.

    was the standard daz site ever in htttps? I think not, just if you check out then it is https.

  • UnseenUnseen Posts: 601
    edited December 1969

    Here is a screenshot of the checkout zone: the padlock is not visible...
    The connection is not completely encrypted...

    Checkout.png
    1084 x 733 - 316K
  • ChoholeChohole Posts: 33,604
    edited December 2012

    But as no payment information is held on site, there should be no inherent problem.

    http://www.daz3d.com/forums/discussion/2639_4/

    Post edited by Chohole on
  • UnseenUnseen Posts: 601
    edited December 1969

    chohole said:
    But as no payment information is held on site, there should be no inherent problem.

    http://www.daz3d.com/forums/discussion/2639_4/

    There is a problem because sensitive data are sent when CC data are submitted and if the server is not secure...

  • JennKJennK Posts: 834
    edited December 1969

    As someone who has worked with payments online with a company who also didn't hold credit card numbers we were required to also pass the test it talks about in your reference chohole however we were also required to have a SSL (Secure Sockets Layer (SSL) is a protocol designed to enable applications to transmit information back and forth securely.) on the server that passed the information to our credit card servicing company. As the passage from our server to theirs had to be secure and have this validation. Now admittedly I am in a different state than DAZ. SSL's are not overly expensive but they are pain in the butt to install on the managing server. True PCI compliance from what I understand means the server that passes this information has to have an SSL

    That being said there is a reason I use a card with just a little money on it when i shop anywhere online I am just paranoid that way.

  • UnseenUnseen Posts: 601
    edited December 1969

    I have reported the issue to the store and I have asked that they forward the issue to the right people.

  • ChoholeChohole Posts: 33,604
    edited December 1969

    If you check now you should see that the issue has been sorted out.

  • UnseenUnseen Posts: 601
    edited December 2012

    I see that it is fixed but it must not be thanks to you since here is what you replied:

    But as no payment information is held on site, there should be no inherent problem.

    Post edited by Unseen on
  • ChoholeChohole Posts: 33,604
    edited December 2012

    I am only a Moderator, I can't solve any problems of any sort, but can pass them on when highlighted.. You filed a support ticket as well, which is more information for them. We were told, as in the thread I linked to, that no information was held on site.

    Post edited by Chohole on
  • UnseenUnseen Posts: 601
    edited December 2012

    Yes but here is what you have replied:

    But as no payment information is held on site, there should be no inherent problem.

    Therefore...

    Anyway, holding informations on a server is one thing and sending CC data on a partially encrypted server is different. As a forum administrator and customer it is something that you should know.

    Post edited by Unseen on
  • ChoholeChohole Posts: 33,604
    edited December 2012

    Agreed, and now I do know, I obviously was only partially informed, or something had changed temporarily, which is now fixed.

    But no credit card data is transferred when you purchase from the store, if you have your card details saved with DAZ 3D, which was why I said what I did.

    Post edited by Chohole on
  • DaremoK3DaremoK3 Posts: 798
    edited December 1969

    I'm glad, and relieved to see it has been rectified...

    Thank you DAZ for your prompt attention.


    cosmo71:

    Yes, it has always been encrypted, and showing both the encryption padlock and the https header.

    Being very paranoid after three (that's THREE) times a victim of identity theft (including credit card), I make sure that padlock and https header is there for any secure log-in I use.

    I know it wasn't Firefox, because Yahoo mail log-in retained it's encryption integrity.


    choloe:

    I respectfully disagree with your assessment.

    Within the past two weeks I had read a forum thread here regarding one of our fellow patrons who had his deleted, supposedly non-existent, non-stored credit card info auto-charged for a long since canceled Platinum Club membership (I am fuzzy on the details, but that was the jist of it).

    Barring that concern alone, what of our Gift Card/Store Credits stored under our accounts?

    That's what really concerns me. That someone could intercept my log-in details, log in as me, and use my credit to make purchases. Then, when I was ready to make a purchase I would find out the hard way from DAZ that I have already "used up" all my credit.

    These are just "what if's", of course, but it's better to be safe than sorry...

  • murgatroyd314murgatroyd314 Posts: 1,426
    edited December 1969

    chohole said:
    But no credit card data is transferred when you purchase from the store, if you have your card details saved with DAZ 3D, which was why I said what I did.

    That's not quite true. One piece of data relating to the credit card is transferred with each purchase: the security code.

Sign In or Register to comment.