SitePoint Sponsor

User Tag List

Results 1 to 20 of 20

Hybrid View

  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,777
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Where does Form Data go on Pop-up?

    GoDaddy.com recently changed their website - disappointing like Yahoo - and one of the changes they made is how the log-in feature works.

    Now when you click on the "Login" link on the Home Page, you get a Pop-Up Window (i.e. "Lightbox") asking for an Account # and Password.

    How do I know where my "Log-In Credentials" are going in that pop-up window, since there is now "Address Bar" associated with it?!

    For all I know, I could be sending things over an UNENCRYPTED connection to someone in Nigeria?!

    Attachment 63086


    This whole new setup makes me *very* nervous...

    Sincerely,


    Debbie

  2. #2
    SitePoint Addict bronze trophy
    Join Date
    Sep 2005
    Posts
    318
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    how.png

    No the most elegant solution; just view the source of the form using firebug and look for the action attribute of the form. You can see it's sending it to godaddys website using SSL.

  3. #3
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,151
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)
    That doesn't change the fact that on the backend the data could be sent to someone in Nigeria. Any way you slice it once you give them the data GoDaddy could be sharing it with anyone including the government. Though that goes for any company really. It just comes down to trusting your provider.
    The only code I hate more than my own is everyone else's.

  4. #4
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,777
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by oddz View Post
    That doesn't change the fact that on the backend the data could be sent to someone in Nigeria. Any way you slice it once you give them the data GoDaddy could be sharing it with anyone including the government. Though that goes for any company really. It just comes down to trusting your provider.
    You're not following me...

    On a *normal* website, you would click on the "Log-in" link, and be taken to another page (e.g. https://www.Debbie.com/log-in.php ) with a Web Form on *that* same page.

    So when you submitted that form, you would be reassured that your Log-In Credentials were going directly from the web form at "log-in.php" to Debbie, Inc.'s server's. And, you would know that the data "in transit" was travelling safely over HTTPS.


    **********
    With GoDaddy's website, first of all, you start off on http://www.GoDaddy.com/# which is NOT secure.

    Next, after clicking on the link, you get the is Pop-Up Form and have no way of knowing if that Form is *secure*?!

    If you are on an unencrypted page to start with, and then you get a Pop-Up Form, would you trust that your Username/Password are being encrypted before they go to GoDaddy??

    I wouldn't!!

    And GoDaddy provides no way to get around this new "cutesy" design...

    That is my concern!!

    Sincerely,


    Debbie

  5. #5
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,276
    Mentioned
    18 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    On a *normal* website, you would click on the "Log-in" link, and be taken to another page (e.g. https://www.Debbie.com/log-in.php ) with a Web Form on *that* same page.

    So when you submitted that form, you would be reassured that your Log-In Credentials were going directly from the web form at "log-in.php" to Debbie, Inc.'s server's. And, you would know that the data "in transit" was travelling safely over HTTPS.
    That's actually not the case. Imagine that https://www.Debbie.com/log-in.php contains this HTML:

    Code HTML4Strict:
    <form action="http://www.somewhere-else.com/somewhere-else.php">

    Just because you're viewing the form securely doesn't mean that it's submitting securely. Likewise, just because you're viewing the form at log-in.php doesn't mean that it's submitting to that same place.

    Unless you want to dive into the site's code, you'll need the browser to help you. Some browsers will give you the option to "Warn me before submitting insecure information." But even that won't always help. Sometimes -- oftentimes, these days -- forms aren't submitted in the traditional way. Instead, JavaScript will often capture the form submit event and do special processing. Sometimes that processing includes sending a request to the server to check your login in an ajaxy way.

    So, how then can you know ahead of time whether your submission will be secure? Probably you can't. Sorry. Best you can do is to check after the fact by watching the network console.
    "First make it work. Then make it better."

  6. #6
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,777
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Jeff Mott View Post
    That's actually not the case. Imagine that https://www.Debbie.com/log-in.php contains this HTML:

    Code HTML4Strict:
    <form action="http://www.somewhere-else.com/somewhere-else.php">

    Just because you're viewing the form securely doesn't mean that it's submitting securely. Likewise, just because you're viewing the form at log-in.php doesn't mean that it's submitting to that same place.
    Good point.


    Quote Originally Posted by Jeff Mott View Post
    Unless you want to dive into the site's code, you'll need the browser to help you. Some browsers will give you the option to "Warn me before submitting insecure information." But even that won't always help. Sometimes -- oftentimes, these days -- forms aren't submitted in the traditional way. Instead, JavaScript will often capture the form submit event and do special processing. Sometimes that processing includes sending a request to the server to check your login in an ajaxy way.

    So, how then can you know ahead of time whether your submission will be secure? Probably you can't. Sorry.
    That's pretty screwed up!!!!!!!!!


    Quote Originally Posted by Jeff Mott View Post
    Best you can do is to check after the fact by watching the network console.
    I don't understand what you mean??


    So, back to my original post...

    Would YOU trust GoDaddy's Popup Login Form??

    Sincerely,


    Debbie

  7. #7
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,276
    Mentioned
    18 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    > Best you can do is to check after the fact by watching the network console.

    I don't understand what you mean??
    "First make it work. Then make it better."

  8. #8
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,203
    Mentioned
    456 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Would YOU trust GoDaddy's Popup Login Form?
    Did you see the link I posted? It answers your question.

  9. #9
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,203
    Mentioned
    456 Post(s)
    Tagged
    8 Thread(s)
    GoDaddy's login form is already acknowledged by security experts as hopelessly insecure: http://www.troyhunt.com/2013/05/your...s-but-you.html

  10. #10
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,203
    Mentioned
    456 Post(s)
    Tagged
    8 Thread(s)
    ...than it is to start here... http://www.godaddy.com
    Yes, that's the real problem.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •