Web security WTF







  • The customer-support types at Pandora would have me believe that the little orange icon in the corner of the screen is proof that the (flash-based) form here is using encryption.



  • Maybe it is? Perhaps the flash form submits the info over an encrypted connection like they say? It's not like Flash can't use SSL.



  •  Pandora does use SSL. The Entire Flash App is transported over HTTPS, but it does make some HTTP requests. It also has internal blowfish encryption, but that might have changes since the last time I looked at it....



  • @gotPSP said:

     Pandora does use SSL. The Entire Flash App is transported over HTTPS, but it does make some HTTP requests. It also has internal blowfish encryption, but that might have changes since the last time I looked at it....

    That's not the point, though - the little padlock icon still doesn't mean anything more than "We want you to think you're secure".

    Anybody can put that icon inside a page. It only means something when the browser puts it outside the page.



  • @aihtdikh said:

    the little padlock icon still doesn't mean anything more than "We want you to think you're secure".

    Anybody can put that icon inside a page. It only means something when the browser puts it outside the page.


    as opposed to "we've made sure you're secure, but don't give a shit what you think about it"? sure it would have been better if the browser could vouch for the security of the arrangement, but probably in this case that's not really possible. it would be a WTF if they haven't done anything to assure the security of the form submission. it isn't a WTF that they placed an icon on their form that might make many of their non-savvy customers feel secure.



  • @lanzz said:

    @aihtdikh said:

    the little padlock icon still doesn't mean anything more than "We want you to think you're secure".

    Anybody can put that icon inside a page. It only means something when the browser puts it outside the page.


    as opposed to "we've made sure you're secure, but don't give a shit what you think about it"? sure it would have been better if the browser could vouch for the security of the arrangement, but probably in this case that's not really possible. it would be a WTF if they haven't done anything to assure the security of the form submission. it isn't a WTF that they placed an icon on their form that might make many of their non-savvy customers feel secure.
     It is a WTF. This flys in the face of trying to educate users that unless they see the browser state that a page is secure it isn't, things like this try to suggest to them that they can trust the content instead.

    So sure the fancy flash thing is pretty but it's an extremely bad idea.

     

    (Plus you now have no idea it it really is secure or not!)



  • @aihtdikh said:

    @gotPSP said:

     Pandora does use SSL. The Entire Flash App is transported over HTTPS, but it does make some HTTP requests. It also has internal blowfish encryption, but that might have changes since the last time I looked at it....

    That's not the point, though - the little padlock icon still doesn't mean anything more than "We want you to think you're secure".

    Anybody can put that icon inside a page. It only means something when the browser puts it outside the page.

    Nonsense.  The lock icon assures you that it's safe.  Oh, that reminds me, I need everyone's credit card numbers for a... project I'm working on...  Don't worry, it's safe.  See the icon?




  • @bstorer said:

    Nonsense.  The lock icon assures you that it's safe.  Oh, that reminds me, I need everyone's credit card numbers for a... project I'm working on...  Don't worry, it's safe.  See the icon?

    Oh hey, I see a lock, so it must be safe!

    4828 572kzzert

    ⊰ This user has been re-educated with the aid of a high-voltage device. ⊱



  • @gotPSP said:

    Filed under: Security by "because we say it is"

    PROTIP: All Internet security is like that.  Same thing with the Verisign logos and all that.  Even certs themselves only mean security by "I paid that guy over there some money to look me over (along with millions of other people) and decide if I look trustworthy and he said I was cool."  As always, you need to take responsbility and be intelligent.  You can't expect technology to solve basic social problems like dishonesty.



  • @morbiuswilters said:

    you need to take responsbility and be intelligent.

    People can be, but when they enter Computer User mode, they tend to fail both.



  • @dhromed said:

    @morbiuswilters said:

    you need to take responsbility and be intelligent.

    People can be, but when they enter Computer User mode, they tend to fail both.

    People often fail Turing's test. 



  • @morbiuswilters said:

    People often fail Turing's test. 
     

    How is that possible? The only way that could happen is by the judger not having a good idea of what normal people say. Its impossible for a human (who can write and read natural langauge and doesn't deliberatly sabotage the test) to fail it, since if he/she does the test wasn't properly executed.



  • @dtech said:

    How is that possible? The only way that could happen is by the judger not having a good idea of what normal people say. Its impossible for a human (who can write and read natural langauge and doesn't deliberatly sabotage the test) to fail it, since if he/she does the test wasn't properly executed.
     

    Pssst!

    I think Morp was making an over-the-top comparison to subtly indicate his level of respect for the intelligence of some (many) people.

    I think.



  • @bstorer said:

    Oh, that reminds me, I need everyone's credit card numbers for a... project
    I'm working on...  Don't worry, it's safe.  See the icon?


    Sure. The link is secure, so it's totally genuine:

    [img]http://www.iconarchive.com/icons/dapino/money/Credit-Card-256x256.png[/img]



  • @morbiuswilters said:

    @gotPSP said:

    Filed under: Security by "because we say it is"

    PROTIP: All Internet security is like that.  Same thing with the Verisign logos and all that.  Even certs themselves only mean security by "I paid that guy over there some money to look me over (along with millions of other people) and decide if I look trustworthy and he said I was cool."  As always, you need to take responsbility and be intelligent.  You can't expect technology to solve basic social problems like dishonesty.

     

     

    Damn, all this time I thought SSL had some mathematical merit.



  • @dtech said:

    @morbiuswilters said:

    People often fail Turing's test. 
     

    How is that possible? The only way that could happen is by the judger not having a good idea of what normal people say. Its impossible for a human (who can write and read natural langauge and doesn't deliberatly sabotage the test) to fail it, since if he/she does the test wasn't properly executed.

    You must not have heard about a beard called SpectateSwamp.



  • @morbiuswilters said:

    @gotPSP said:

    Filed under: Security by "because we say it is"

    PROTIP: All Internet security is like that.  Same thing with the Verisign logos and all that.  Even certs themselves only mean security by "I paid that guy over there some money to look me over (along with millions of other people) and decide if I look trustworthy and he said I was cool."  As always, you need to take responsbility and be intelligent.  You can't expect technology to solve basic social problems like dishonesty.

    In addition to "you look trustworthy", a certificate (properly used) says two other things, as well. 1) The connection is encrypted, and 2) the connection has been made to the website you think it's being made to.



  • @Carnildo said:

    In addition to "you look trustworthy", a certificate (properly used) says two other things, as well. 1) The connection is encrypted, and 2) the connection has been made to the website you think it's being made to.

    Plus - 3) if a scammer somehow managed to get a convincing-looking SSL certificate from a trusted certifying authority, they wouldn't have been able to do that without leaving at least some evidence for the law enforcement to follow.

    The folks at certifying authorities have procedures to follow! It's a position that needs responsibility and meticulous following of security procedures! It's not like someone would walk in and get themselves a SSL cert in a big company's name, or something - they check stuff pretty thoroughly. Well, at least they wouldn't be able to pull that off the second time. Well, at least not if the staff at the CA still has that in recent memory. Maybe. 🙂



  • @Carnildo said:

    In addition to "you look trustworthy", a certificate (properly used) says two other things, as well. 1) The connection is encrypted, and 2) the connection has been made to the website you think it's being made to.
     

    You're confusing a (browser-controlled) SSL-certificate with a "3rd-party certificate" (aka: a image you can download and just put on your server so it doesn't mean shit)



  • @derula said:

    You must not have heard about a beard called SpectateSwamp.
     

    Does he count as human?


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.