IGINDEX - It seems that HTTPS login now defaults to non secure http, from today

peakoil said:
"Can I respectfully point the honourable member to the answer I gave on page one of this thread..Honestly, as if the IG techies haven't got this sussed and sorted.."

Just wondering if your ancestors didst, perchance, roll their eyes at those who thought the titanic could sink? Nearer to the present day, in the middle of May, no one could foresee what was coming days later for Sony?

And if there was a response from Ig techies about this, if anyone's else's tried contacting them, I'd like to see it too.

My point is, when it comes to data security, if there is any way to do things better, and the EFF page (that I linked above) shows how secure information should be utilised on the web, then it should be done the industry standard way, which is certified, strongly secure and verifiable by all interested parties. At present this is still not as it should be. But it was - until they re-routed https requests to http. So putting things back to the way they were isn't too much to expect of Ig Index when all I'm seeking is that they do things the very way that those who wish strongly to protect data of customers in the industry usually do: Https request = https page!
Click to expand...

What did they say when you had a conversation with them?
 
@Black Swan: I rang once and emailed once, but the latter has yet to receive any response. The former was as I suggested in my first post: he basically thought that there was nothing wrong with their web security. Albeit, did his best to explain that there was nothing to worry about in a friendly manner. And, as I'm not the type who rings up CS repeatedly to air my problems so I left it at that and emailed them asking my email to be referred to the web dev people...

I trust that there must be a few of us here who want to know for certain that there is absolutely no risk to their logins & passwords since the https login option was changed. Hence this thread.
 
peakoil said:
@Black Swan: I rang once and emailed once, but the latter has yet to receive any response. The former was as I suggested in my first post: he basically thought that there was nothing wrong with their web security. Albeit, did his best to explain that there was nothing to worry about in a friendly manner. And, as I'm not the type who rings up CS repeatedly to air my problems so I left it at that and emailed them asking my email to be referred to the web dev people...

I trust that there must be a few of us here who want to know for certain that there is absolutely no risk to their logins & passwords since the https login option was changed. Hence this thread.
Click to expand...

Did they mention that these 'changes' you are adamant took place on Monday have actually been in place for months?
 
They never on the phone to me said that they were in place for months So now that they've a couple of days to think about it, that's the perfect response to make them look of no consequence at all. Days or months - the facts still remain as argued. Sony was a company for more than a few months as far as I remember. I do admire the attempted put-down/pwnage, though.
 
peakoil said:
But it was - until they re-routed https requests to http.
Click to expand...

As has already been explained on page 1, they are NOT routing https requests to http. The action form on the IGIndex home page sends a secure https request, and from that point onwards everything is as secure over https makes it!

Sure people in vans parked outside your house using high power decryption hardware can intercept your WiFi signals and steal your login details, but you've got to get to a point where you're satisfied you're safe enough! Actually, I know a chap who doesn't use WiFi for this very reason...!
 
peakoil said:
Sony was a company for more than a few months as far as I remember. I do admire the attempted put-down/pwnage, though.
Click to expand...

If you still have the same concerns then why don't you check the source code of the page everytime you load it? The code for the login box is only a few lines, it would be easy to spot anything unusual.
 
Yes, yes: When I say they re-route a https request to http, of course I accept that that means the page is http but the login is most probably over https. I have already stated in earlier posts the term "mixed mode" meaning http page with partial https transfer for the login information. As the EFF page demonstrates mixed mode is not ideal, and we deserve better which is full https for any login page, that is, the *whole* page! And this is the way things were until they very recently changed things. That's not too much to expect nor ask.
 
leonarda said:
As has already been explained on page 1, they are NOT routing https requests to http. The action form on the IGIndex home page sends a secure https request, and from that point onwards everything is as secure over https makes it!

Sure people in vans parked outside your house using high power decryption hardware can intercept your WiFi signals and steal your login details, but you've got to get to a point where you're satisfied you're safe enough! Actually, I know a chap who doesn't use WiFi for this very reason...!
Click to expand...

Actually WPA2 hasn't been broken, they can only do this if you are using WEP which is about as secure as a tin of biscuits in my kitchen.
 
Apothecary said:
If you still have the same concerns then why don't you check the source code of the page everytime you load it? The code for the login box is only a few lines, it would be easy to spot anything unusual.
Click to expand...

Here is a login code http://www.igindex.co.uk/lib/js/login-min.js?10000
Just one line of minified and obfuscated javascript code.
I am curious what people here think about this code. Is it easy to spot anything unusual in it?

Not to mention that one have to check all other script files as well.
 
Here is a solution for peakoil. You can write a small page with login, password and submit button and host it on your local box. This way you will never request an unsecure igindex login page.
 
@6am you know, I'd hoped I wasn't the only one in the world who missed the full https login page. But, it's beginning to feel that way...
 
6am said:
Here is a login code http://www.igindex.co.uk/lib/js/login-min.js?10000
Just one line of minified and obfuscated javascript code.
I am curious what people here think about this code. Is it easy to spot anything unusual in it?

Not to mention that one have to check all other script files as well.
Click to expand...

Sorry mate, not so, you're looking at the wrong bit.

The homepage login form doesn't have any javascript associated with it, all it does is post your username and password over https.
 
Apothecary said:
Sorry mate, not so, you're looking at the wrong bit.

The homepage login form doesn't have any javascript associated with it, all it does is post your username and password over https.
Click to expand...

Can you prove it?

Here is what I see in Firefox
Code: 
<form action="https://www.igindex.co.uk/spread-betting/re_javascript_inactive.html" method="post" id="login" name="login" autocomplete="off">
..............
<script src="/lib/js/login-min.js?10000" type="text/javascript"></script>

If you do not have javascript enabled then login will send you to the page https://www.igindex.co.uk/spread-betting/re_javascript_inactive.html
which will tell you to enable it.

However if you have javascript enabled it will change action attribute to the different url (and will do some other stuff). All this logic is located in the login-min.js script which is minified and obfuscated.

It is very easy to check. Install noscript plugin in firefox and click login and see what happens.
 
6am said:
Can you prove it?

Here is what I see in Firefox
Code: 
<form action="https://www.igindex.co.uk/spread-betting/re_javascript_inactive.html" method="post" id="login" name="login" autocomplete="off">
..............
<script src="/lib/js/login-min.js?10000" type="text/javascript"></script>

If you do not have javascript enabled then login will send you to the page https://www.igindex.co.uk/spread-betting/re_javascript_inactive.html
which will tell you to enable it.

However if you have javascript enabled it will change action attribute to the different url (and will do some other stuff). All this logic is located in the login-min.js script which is minified and obfuscated.

It is very easy to check. Install noscript plugin in firefox and click login and see what happens.
Click to expand...

Look again, that script block is outside of the login form!!!
 
Apothecary said:
Look again, that script block is outside of the login form!!!
Click to expand...
I give up. It is pointless to continue. In my humble opinion you do not have a clue what you are talking about. Sorry but I am not going to educate you. May I suggest that you read some javascript and html tutorials.
 
You must log in or register to reply here.

Similar threads

trendie
collective2: security problem
Replies
5
Views
3K
oildaytrader
oildaytrader
ironjaw
Amazon AWS WorkSpace
Replies
6
Views
2K
ironjaw
ironjaw
Matt Vann
  • Article
Getting Started PC Security ? Preventative Measures
Replies
14
Views
7K
jeremyburrough
J
A
Please help me with Bloomberg terminal!!!
Replies
2
Views
3K
sk1105
S
James Kerin
  • Article
Psychology Day Trading & Scalping 4 Signs that You are Addicted to Investing
Replies
3
Views
3K
pass4sureguide
P
Top