Search This Blog

27 February 2018

Page security

Some time ago I noticed a problem with the security on some of the pages of a bank.
If we visit this address https://www.<blurred :)>.bg/bg/debitni-karti/page/10 , we see the result on image1 - green padlock and green text in the address bar of the browser, which informs us that the communication with this page is secured with an Extended Validation SSL certificate.


If we continue browsing to the site and go to the pages for card products,  for example: https://www.<blurred :)>.bg/bg/page/3301#nasheto-predlojenie , we no longer see the green padlock and green text, but a gray padlock with a yellow triangle and exclamation mark. If we click on it we click on it it says that the connection to the page is not secure and the reason is that some of the content is not served over https - image2, image3, image4



If we look at the source code of the page we see that three of the images on that page are with URLs over http protocol. If we try to access these images we see that they are not available and that the server redirects us to their new location which is over https protocol. So the browser is making an unnecessary request over http just to get a response code 302 and a "Location" header with the new address of the image.
So the images have been removed from http and they are only accessible by https, but they have just forgotten to update some of the pages "src" attributes, and the browser is making an unnecessary http request.

Needles to say I have informed the bank of their insecure pages and they have immediately solved the issue, of-course not missing to send a "Thanks" my way, which is always nice to hear.

I remember pointing out a problem with the e-commerce pages of a PC parts store, which prevented them from being loaded - the user had to manually reload the page if it was opened as a new tab. They fixed it after a week or so, but didn't even bother to say "Thank you". 

But here we see www.<blurred :)>.bg having a lightning fast reaction and this is what is expected when it comes to core business :)

No comments:

Post a Comment