
Firefox gets complaint for labeling unencrypted login page insecure - gvb
https://arstechnica.com/security/2017/03/firefox-gets-complaint-for-labeling-unencrypted-login-page-insecure/
======
probably_wrong
Previously discussed here:
[https://news.ycombinator.com/item?id=13917778](https://news.ycombinator.com/item?id=13917778)

~~~
AndrewDucker
It's marked as a dupe (and presumably flagged) despite the original story now
linking to a locked Bugzilla entry, with no information about context.

Could we un-dupe it?

------
pdpi
> Update: As several commenters have pointed out, the site's subscription
> page[0] transmits credit card information over plain-vanilla HTTP pages as
> well.

0\.
[http://www.oilandgasinternational.com/SSL_Subscribe/subscrib...](http://www.oilandgasinternational.com/SSL_Subscribe/subscribe_us.aspx)

~~~
tyingq
It's got other issues as well. It spewed an error page for me with snippets of
source code. [http://imgur.com/a/UiPDf](http://imgur.com/a/UiPDf)

------
K0nserv
I was sympatehtic of the site owner until I read that they are sending credit
card information over HTTP on a page that claims to be doing so securely. With
that level of negligence they deserve what they get here

~~~
jacquesm
Still, the chances of that number being caught 'in transit' are a lot smaller
than the chances of it being caught 'at rest'. The risk here is mostly in
exploits on the page and absent those you're going to have to trust the party
on the other end to keep your data safe or to not keep it at all.

It's a risk roughly equivalent to speaking on the phone to a hotel registry
and giving them your CC#, or a car rental agency. And in that case, at least
one other person now has your number (and that's besides all the other people
that already have the numbers and those that handled the card in your absence,
waiters in restaurants and so on).

Credit Cards working without something along the lines of VBV is a bug, not a
feature and the fact that 'just a number' is worth money is where the real
problem lies, not in how it got transmitted, that's just a reduction of the
risk, not an elimination.

All that said there is absolutely no excuse why they should not use HTTPS, and
it also makes you very wary of doing business with this party at all, likely
their other security sucks.

------
skarap
Would be nice to have an option to disable this for intranets. Otherwise - a
very good thing to do.

~~~
50CNT
Couldn't you just set up a Private CA since you'd have to customize things
anyways?

~~~
majewsky
Exactly. You should never consider a network perfectly secure, no matter if it
is the internet or your intranet.

