Digital Art Zone

 
     
Https zone partially encrypted: security issue
Posted: 05 December 2012 02:33 AM   [ Ignore ]
Member
Rank
Total Posts:  179
Joined  2003-10-09

Since yesterday I see that the https zone is partially encrypted because when I log in I see that the padlock does not display in Firefox 17.01. I have checked the images but all the links start with https.

I have tried with IE 9 (with latest update) and when I enter the https zone I am told that only the encrypted data are displayed. There is an option allowing to display all the data (encrypted and non encrypted) but when I select it I see no difference.

I therefore assume that the security issue is not related to the images but to something else.

It would be very nice if one of the administrators could forward the information to the website technicians…

I have submitted no ticket since it seems that it is impossible to contact the website support via the help desk…

Thank you very much.

Image Attachments
HTTPS.png
 Signature 

“When a wise man points at the moon the imbecile examines the finger.”

Confucius

Profile
 
 
Posted: 05 December 2012 04:09 AM   [ Ignore ]   [ # 1 ]
Active Member
Avatar
RankRank
Total Posts:  374
Joined  2003-10-09

I noticed this too yesterday (Firefox 15.0.1) when I tried to log in to PM a client.

I almost didn’t log in at all, but I really needed to update my client, so against my better judgement I submitted my log-in info on this unsecured platform.

I thought it was just me, or a glitch, so I refreshed the page close to twenty times, tried going to log-in page from different areas of the site, hand typed in the address, and even rebooted Firefox.  All to no avail.

Firefox told me that the page was unsecured, and data transferred (log in identity and password) could be intercepted in transit.

I felt very uneasy about logging in (and again tonight), but thought I was just being paranoid.  But, now since you confirmed this, I am fully feeling paranoid.

Guess it’s time to change my info.

I second the request for DAZ guru’s to address this matter.  Yeah, it’s not my bank log-in, but it could still lead to issues.

 Signature 

Take care all..        “It’s easy to clean up when you got money.”        *Old Post Count:  Don’t know, don’t care…  *New Site Status:  Doesn’t matter one iota.
Ken

Profile
 
 
Posted: 05 December 2012 09:47 AM   [ Ignore ]   [ # 2 ]
Power Member
Avatar
RankRankRank
Total Posts:  1499
Joined  2010-06-29
Wilfred - 05 December 2012 02:33 AM

Since yesterday I see that the https zone is partially encrypted because when I log in I see that the padlock does not display in Firefox 17.01. I have checked the images but all the links start with https.

I have tried with IE 9 (with latest update) and when I enter the https zone I am told that only the encrypted data are displayed. There is an option allowing to display all the data (encrypted and non encrypted) but when I select it I see no difference.

I therefore assume that the security issue is not related to the images but to something else.

It would be very nice if one of the administrators could forward the information to the website technicians…

I have submitted no ticket since it seems that it is impossible to contact the website support via the help desk…

Thank you very much.

was the standard daz site ever in htttps? I think not, just if you check out then it is https.

 Signature  Samples of my renders by cosmo


Every day is your day - not the day of other people - So live your life, not the lifes of others and enjoy it

Profile
 
 
Posted: 05 December 2012 10:22 AM   [ Ignore ]   [ # 3 ]
Member
Rank
Total Posts:  179
Joined  2003-10-09

Here is a screenshot of the checkout zone: the padlock is not visible…
The connection is not completely encrypted…

Image Attachments
Checkout.png
 Signature 

“When a wise man points at the moon the imbecile examines the finger.”

Confucius

Profile
 
 
Posted: 05 December 2012 10:27 AM   [ Ignore ]   [ # 4 ]
Administrator
Avatar
RankRankRankRank
Total Posts:  15646
Joined  2003-10-09

But as no payment information is held on site, there should be no inherent problem.

http://www.daz3d.com/forums/viewannounce/2639_4/

 Signature 

Chohole’s Space        Neil’Vs Freebies and stuff        L Summer Bryce Rendering Challenge        August Freebie Challenge
My DAZ 3D Gallery    11915

Profile
 
 
Posted: 05 December 2012 10:35 AM   [ Ignore ]   [ # 5 ]
Member
Rank
Total Posts:  179
Joined  2003-10-09
chohole - 05 December 2012 10:27 AM

But as no payment information is held on site, there should be no inherent problem.

http://www.daz3d.com/forums/viewannounce/2639_4/

There is a problem because sensitive data are sent when CC data are submitted and if the server is not secure…

 Signature 

“When a wise man points at the moon the imbecile examines the finger.”

Confucius

Profile
 
 
Posted: 05 December 2012 10:50 AM   [ Ignore ]   [ # 6 ]
Active Member
Avatar
RankRank
Total Posts:  584
Joined  2011-02-03

As someone who has worked with payments online with a company who also didn’t hold credit card numbers we were required to also pass the test it talks about in your reference chohole however we were also required to have a SSL (Secure Sockets Layer (SSL) is a protocol designed to enable applications to transmit information back and forth securely.) on the server that passed the information to our credit card servicing company. As the passage from our server to theirs had to be secure and have this validation. Now admittedly I am in a different state than DAZ. SSL’s are not overly expensive but they are pain in the butt to install on the managing server.  True PCI compliance from what I understand means the server that passes this information has to have an SSL

That being said there is a reason I use a card with just a little money on it when i shop anywhere online I am just paranoid that way.

 Signature 

My DAZ Gallery http://www.daz3d.com/gallery/users/68
My deviantART http://kitashrak.deviantart.com/

Profile
 
 
Posted: 05 December 2012 11:03 AM   [ Ignore ]   [ # 7 ]
Member
Rank
Total Posts:  179
Joined  2003-10-09

I have reported the issue to the store and I have asked that they forward the issue to the right people.

 Signature 

“When a wise man points at the moon the imbecile examines the finger.”

Confucius

Profile
 
 
Posted: 05 December 2012 01:52 PM   [ Ignore ]   [ # 8 ]
Administrator
Avatar
RankRankRankRank
Total Posts:  15646
Joined  2003-10-09

If you check now you should see that the issue has been sorted out.

 Signature 

Chohole’s Space        Neil’Vs Freebies and stuff        L Summer Bryce Rendering Challenge        August Freebie Challenge
My DAZ 3D Gallery    11915

Profile
 
 
Posted: 05 December 2012 02:28 PM   [ Ignore ]   [ # 9 ]
Member
Rank
Total Posts:  179
Joined  2003-10-09

I see that it is fixed but it must not be thanks to you since here is what you replied:

But as no payment information is held on site, there should be no inherent problem.

 Signature 

“When a wise man points at the moon the imbecile examines the finger.”

Confucius

Profile
 
 
Posted: 05 December 2012 02:30 PM   [ Ignore ]   [ # 10 ]
Administrator
Avatar
RankRankRankRank
Total Posts:  15646
Joined  2003-10-09

I am only a Moderator, I can’t solve any problems of any sort, but can pass them on when highlighted.. You filed a support ticket as well, which is more information for them.  We were told, as in the thread I linked to, that no information was held on site.

 Signature 

Chohole’s Space        Neil’Vs Freebies and stuff        L Summer Bryce Rendering Challenge        August Freebie Challenge
My DAZ 3D Gallery    11915

Profile
 
 
Posted: 05 December 2012 02:38 PM   [ Ignore ]   [ # 11 ]
Member
Rank
Total Posts:  179
Joined  2003-10-09

Yes but here is what you have replied:

But as no payment information is held on site, there should be no inherent problem.

Therefore…

Anyway, holding informations on a server is one thing and sending CC data on a partially encrypted server is different. As a forum administrator and customer it is something that you should know.

 Signature 

“When a wise man points at the moon the imbecile examines the finger.”

Confucius

Profile
 
 
Posted: 05 December 2012 02:55 PM   [ Ignore ]   [ # 12 ]
Administrator
Avatar
RankRankRankRank
Total Posts:  15646
Joined  2003-10-09

Agreed, and now I do know,  I obviously was only partially informed, or something had changed temporarily, which is now fixed.

But no credit card data is transferred when you purchase from the store, if you have your card details saved with DAZ 3D, which was why I said what I did.

 Signature 

Chohole’s Space        Neil’Vs Freebies and stuff        L Summer Bryce Rendering Challenge        August Freebie Challenge
My DAZ 3D Gallery    11915

Profile
 
 
Posted: 05 December 2012 07:11 PM   [ Ignore ]   [ # 13 ]
Active Member
Avatar
RankRank
Total Posts:  374
Joined  2003-10-09

I’m glad, and relieved to see it has been rectified…

Thank you DAZ for your prompt attention.


cosmo71:

Yes, it has always been encrypted, and showing both the encryption padlock and the https header.

Being very paranoid after three (that’s THREE) times a victim of identity theft (including credit card), I make sure that padlock and https header is there for any secure log-in I use.

I know it wasn’t Firefox, because Yahoo mail log-in retained it’s encryption integrity.


choloe:

I respectfully disagree with your assessment.

Within the past two weeks I had read a forum thread here regarding one of our fellow patrons who had his deleted, supposedly non-existent, non-stored credit card info auto-charged for a long since canceled Platinum Club membership (I am fuzzy on the details, but that was the jist of it).

Barring that concern alone, what of our Gift Card/Store Credits stored under our accounts?

That’s what really concerns me.  That someone could intercept my log-in details, log in as me, and use my credit to make purchases.  Then, when I was ready to make a purchase I would find out the hard way from DAZ that I have already “used up” all my credit.

These are just “what if’s”, of course, but it’s better to be safe than sorry…

 Signature 

Take care all..        “It’s easy to clean up when you got money.”        *Old Post Count:  Don’t know, don’t care…  *New Site Status:  Doesn’t matter one iota.
Ken

Profile
 
 
Posted: 05 December 2012 07:13 PM   [ Ignore ]   [ # 14 ]
Active Member
RankRank
Total Posts:  538
Joined  2011-04-12
chohole - 05 December 2012 02:55 PM

But no credit card data is transferred when you purchase from the store, if you have your card details saved with DAZ 3D, which was why I said what I did.

That’s not quite true.  One piece of data relating to the credit card is transferred with each purchase: the security code.

 Signature 

Not interested in the giant leap backwards that is “Genesis 2”.

Profile