Navigate This Site

Philip Ramsey Headlines

Wednesday, February 2, 2011

When an encrypted login is not secure - the security is broken

While attempting to login to your site via https://www.cch.ca/MyAccount/login.aspx I noticed the encryption is broken. Further investigation revealed a stylesheets and a number of scripts that are hosted on Google that are not encrypted. As a company that claims to be concerned with security why are CSS and JS files hosted by Google needed on your login page? Why do you want to give your users credentials to the world's most powerful search engine. I certainly do not want my CCH username and password showing up in Google's search results.

According to the source code of https://www.cch.ca/MyAccount/login.aspx there three files that are not encrypted and hosted by Google. They are:

1) link http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/base/jquery-ui.css rel="stylesheet" type="text/css"
2) script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js"
3) script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js"

As Netscape found out back in 1995, when an unencrypted object is placed on an encrypted page, the unencrypted object creates a backdoor on the encrypted server that allows packet sniffers to see the encrypted information in clear text after it has been decrypted on encrypted server. To secure the login page these three files must be removed immediately.

The above is an email I sent to CCH Canada. They claim that they take security seriously. But, as you can see, they really do not grasp of what security is all about. If they did, they would start by ensuring their encrypted servers are truly secured by following a few basic procedures - ensure that all objects - flash presentations, graphics, mulit-media files, cascading style sheets (CSS), JavaScript (js) files, etc. - reside on encrypted servers. Unfortunately, CCH Canada is not alone when it comes to placing unencrypted objects on encrypted pages.

The reason I use Mozilla (formerly known as Netscape) products is for their legendary security. My favourite is Seamonkey, the great grand son of Netscape Navigator. Seamonkey, like it's sibling Firefox, notifies the user when an encrypted page is not secure by displaying a broken padlock in the status bar. The latest versions of both Seamonkey and Firefox displays both a closed padlock icon in the status bar and coloured background in the URL field when the page is properly encrypted and secure. They also display a red broken padlock in the status bar but no coloured background in the URL field when the encrypted page is not secure.
Enhanced by Zemanta

No comments:

Post a Comment