SitePoint Sponsor

User Tag List

Results 1 to 20 of 20
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,930
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Where does Form Data go on Pop-up?

    GoDaddy.com recently changed their website - disappointing like Yahoo - and one of the changes they made is how the log-in feature works.

    Now when you click on the "Login" link on the Home Page, you get a Pop-Up Window (i.e. "Lightbox") asking for an Account # and Password.

    How do I know where my "Log-In Credentials" are going in that pop-up window, since there is now "Address Bar" associated with it?!

    For all I know, I could be sending things over an UNENCRYPTED connection to someone in Nigeria?!

    Attachment 63086


    This whole new setup makes me *very* nervous...

    Sincerely,


    Debbie

  2. #2
    SitePoint Addict bronze trophy
    Join Date
    Sep 2005
    Posts
    323
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    how.png

    No the most elegant solution; just view the source of the form using firebug and look for the action attribute of the form. You can see it's sending it to godaddys website using SSL.

  3. #3
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,184
    Mentioned
    17 Post(s)
    Tagged
    4 Thread(s)
    That doesn't change the fact that on the backend the data could be sent to someone in Nigeria. Any way you slice it once you give them the data GoDaddy could be sharing it with anyone including the government. Though that goes for any company really. It just comes down to trusting your provider.
    The only code I hate more than my own is everyone else's.

  4. #4
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,930
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by oddz View Post
    That doesn't change the fact that on the backend the data could be sent to someone in Nigeria. Any way you slice it once you give them the data GoDaddy could be sharing it with anyone including the government. Though that goes for any company really. It just comes down to trusting your provider.
    You're not following me...

    On a *normal* website, you would click on the "Log-in" link, and be taken to another page (e.g. https://www.Debbie.com/log-in.php ) with a Web Form on *that* same page.

    So when you submitted that form, you would be reassured that your Log-In Credentials were going directly from the web form at "log-in.php" to Debbie, Inc.'s server's. And, you would know that the data "in transit" was travelling safely over HTTPS.


    **********
    With GoDaddy's website, first of all, you start off on http://www.GoDaddy.com/# which is NOT secure.

    Next, after clicking on the link, you get the is Pop-Up Form and have no way of knowing if that Form is *secure*?!

    If you are on an unencrypted page to start with, and then you get a Pop-Up Form, would you trust that your Username/Password are being encrypted before they go to GoDaddy??

    I wouldn't!!

    And GoDaddy provides no way to get around this new "cutesy" design...

    That is my concern!!

    Sincerely,


    Debbie

  5. #5
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,299
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    GoDaddy's login form is already acknowledged by security experts as hopelessly insecure: http://www.troyhunt.com/2013/05/your...s-but-you.html

  6. #6
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,313
    Mentioned
    19 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    On a *normal* website, you would click on the "Log-in" link, and be taken to another page (e.g. https://www.Debbie.com/log-in.php ) with a Web Form on *that* same page.

    So when you submitted that form, you would be reassured that your Log-In Credentials were going directly from the web form at "log-in.php" to Debbie, Inc.'s server's. And, you would know that the data "in transit" was travelling safely over HTTPS.
    That's actually not the case. Imagine that https://www.Debbie.com/log-in.php contains this HTML:

    Code HTML4Strict:
    <form action="http://www.somewhere-else.com/somewhere-else.php">

    Just because you're viewing the form securely doesn't mean that it's submitting securely. Likewise, just because you're viewing the form at log-in.php doesn't mean that it's submitting to that same place.

    Unless you want to dive into the site's code, you'll need the browser to help you. Some browsers will give you the option to "Warn me before submitting insecure information." But even that won't always help. Sometimes -- oftentimes, these days -- forms aren't submitted in the traditional way. Instead, JavaScript will often capture the form submit event and do special processing. Sometimes that processing includes sending a request to the server to check your login in an ajaxy way.

    So, how then can you know ahead of time whether your submission will be secure? Probably you can't. Sorry. Best you can do is to check after the fact by watching the network console.
    "First make it work. Then make it better."

  7. #7
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,930
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Jeff Mott View Post
    That's actually not the case. Imagine that https://www.Debbie.com/log-in.php contains this HTML:

    Code HTML4Strict:
    <form action="http://www.somewhere-else.com/somewhere-else.php">

    Just because you're viewing the form securely doesn't mean that it's submitting securely. Likewise, just because you're viewing the form at log-in.php doesn't mean that it's submitting to that same place.
    Good point.


    Quote Originally Posted by Jeff Mott View Post
    Unless you want to dive into the site's code, you'll need the browser to help you. Some browsers will give you the option to "Warn me before submitting insecure information." But even that won't always help. Sometimes -- oftentimes, these days -- forms aren't submitted in the traditional way. Instead, JavaScript will often capture the form submit event and do special processing. Sometimes that processing includes sending a request to the server to check your login in an ajaxy way.

    So, how then can you know ahead of time whether your submission will be secure? Probably you can't. Sorry.
    That's pretty screwed up!!!!!!!!!


    Quote Originally Posted by Jeff Mott View Post
    Best you can do is to check after the fact by watching the network console.
    I don't understand what you mean??


    So, back to my original post...

    Would YOU trust GoDaddy's Popup Login Form??

    Sincerely,


    Debbie

  8. #8
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,313
    Mentioned
    19 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    > Best you can do is to check after the fact by watching the network console.

    I don't understand what you mean??
    "First make it work. Then make it better."

  9. #9
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,299
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Would YOU trust GoDaddy's Popup Login Form?
    Did you see the link I posted? It answers your question.

  10. #10
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,930
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ralph.m View Post
    Did you see the link I posted? It answers your question.
    What do you think, Jeff??

    Your screenshot above seems to imply that the Log-In Popup is okay...

    (Although that is a hell of a lot of work for "Jane User" to do to feel safe...)


    Ralph certainly doesn't seem to be a fan of GoDaddy!!

    Did you have some bad experiences with them in the past??


    Off Topic:

    Maybe I would have been better posting this in the "Security Forum"??

    I'd be really interested to know what any "security gurus" out there think about all of this...


    Sincerely,


    Debbie

  11. #11
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,930
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    The plot thickens...

    I just found out from someone else that there is another way to login to your GoDaddy account here...

    https://mya.godaddy.com


    On the surface, it looks much better to me, but when I poke around using FireBug, I don't even see an HTML Form?!

    Apparently that Login Form uses all JavaScript to log a person in. That probably scares me even more than the Popup Login?!

    What do you think??

    Sincerely,


    Debbie

  12. #12
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,313
    Mentioned
    19 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    What do you think, Jeff??
    I think ralph's link is definitely worth watching and learning from. It talks about a security issue that isn't often covered. Their premise is that the security of the submission isn't all that matters, that sending the form itself must also be secure. Otherwise the form's markup could be altered in transit, for example, to insert a script that logs your keystrokes.
    "First make it work. Then make it better."

  13. #13
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,930
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Jeff Mott View Post
    I think ralph's link is definitely worth watching and learning from. It talks about a security issue that isn't often covered. Their premise is that the security of the submission isn't all that matters, that sending the form itself must also be secure. Otherwise the form's markup could be altered in transit, for example, to insert a script that logs your keystrokes.
    Which of these logins would you trust more...

    1.) http://www.godaddy.com/# with a Pop-Up Form which supposedly uses Java "in an out of the norm process for logging in to prevent malicious activities"

    2.) https://mya.godaddy.com



    Also, would you ever use GoDaddy to Host a website?? (I have a VPS with them currently).


    For all of my bashing in this thread, there are some things that attracted me to, and have kept me with GoDaddy...

    a.) All Staff based in U.S.

    b.) All Servers based in U.S.

    c.) Affordable Servers for someone on a "shoe-string budget"

    d.) 24/7 Phone & Chat Access

    (Yeah, I think a lot of their technical people are clueless, but for a beginner like me, the 24/7 access is in some ways as important as having access to "experts" 9-to-5, if you follow.)


    I hate to let something like a Log-In Form make me upend my life, but it does bother me...

    And the last thing I need to to have issues with my Virtual Private Server when I "go live" soon...

    Thoughts?

    Suggestions?

    Sincerely,


    Debbie

  14. #14
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,299
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Which of these logins would you trust more...
    At least the second page is https protected, so that looks better to me.

    Also, would you ever use GoDaddy to Host a website?? (I have a VPS with them currently).
    In the past, I've always heard it's not a good idea, as they are mainly a domain host. I've seen lots of people here having problems with various things like sending email, and it turns out that GD was limiting what they could do. However, things may have changed. Surely a VPS should give reasonable quality. I guess you should judge from the service you get. But there are thousands of good hosts in the US, so US-based is not much of a reason to choose GD on its own.

  15. #15
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,930
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ralph.m View Post
    At least the second page is https protected, so that looks better to me.
    Would the fact that they don't use an HTML Form - I didn't even know you could do that - but instead entirely use JavaScript, freak you out as far as security goes?


    In the past, I've always heard it's not a good idea, as they are mainly a domain host. I've seen lots of people here having problems with various things like sending email, and it turns out that GD was limiting what they could do. However, things may have changed. Surely a VPS should give reasonable quality. I guess you should judge from the service you get. But there are thousands of good hosts in the US, so US-based is not much of a reason to choose GD on its own.
    Who does SitePoint use to host this website?

    And are there any U.S.-based web hosting companies that you'd recommend?

    I'm looking for ones that are reasonably priced, yet deal with serious hosting (e.g. businesses, e-commerce).

    Sincerely,


    Debbie

  16. #16
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,299
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Would the fact that they don't use an HTML Form - I didn't even know you could do that - but instead entirely use JavaScript, freak you out as far as security goes?
    There is actually a form there in the HTML.

    Who does SitePoint use to host this website?
    Not sure, but some kind of cloud hosting I think—too complex for me.

    And are there any U.S.-based web hosting companies that you'd recommend?
    I used to use KnownHost. After a lot of research, I settled on them as the best and most cost-effective option for a VPS. After being with them for about 4 years, I can honestly say they were excellent, and I'd highly recommend them. The only reason I left them was because it's slow uploading stuff from Australia to the US, so I decided to move to a local host.

  17. #17
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,930
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ralph.m View Post
    There is actually a form there in the HTML.
    Oops, I took a second look, and see I missed it in FireBug.

    So, it looks like JavaScript determines the Action location, right? (But, of course, how would I know it is going to HTTPS other than *assuming* GoDaddy cares about security?!)


    Quote Originally Posted by ralph.m View Post
    Not sure, but some kind of cloud hosting I think—too complex for me.
    Must be a "secret"?!


    Quote Originally Posted by ralph.m View Post
    I used to use KnownHost. After a lot of research, I settled on them as the best and most cost-effective option for a VPS. After being with them for about 4 years, I can honestly say they were excellent, and I'd highly recommend them. The only reason I left them was because it's slow uploading stuff from Australia to the US, so I decided to move to a local host.
    I'll have to check them out.

    Sincerely,


    Debbie

  18. #18
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,299
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    JavaScript determines the Action location, right?
    I don't think so.

    Code:
    action="login.aspx?spkey=GDMYA4+-130117125906001&amp;target=https%3a%2f%2fmya.godaddy.com%2f"

  19. #19
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,930
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ralph.m View Post
    I don't think so.

    Code:
    action="login.aspx?spkey=GDMYA4+-130117125906001&amp;target=https%3a%2f%2fmya.godaddy.com%2f"
    Geesh, Ralph, you're starting to make me think I need glasses!!!


    You know, after poking around some more, it looks like both of the Log-In Forms above ultimately point to...
    Code:
    https://mya.godaddy.com
    The difference, of course, is that it is better to type in this...
    Code:
    https://mya.godaddy.com

    ...and get re-directed here...
    Code:
    https://idp.godaddy.com/login.aspx?spkey=GDMYA4+-130117125906001&target=https%3a%2f%2fmya.godaddy.com%2f
    ...and then have the form submitted here...
    Code:
    https://mya.godaddy.com
    ...than it is to start here...
    Code:
    www.godaddy.com/#
    ...and then have the form submitted here...
    Code:
    https://mya.godaddy.com
    Sincerely,


    Debbie

  20. #20
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,299
    Mentioned
    460 Post(s)
    Tagged
    8 Thread(s)
    ...than it is to start here... http://www.godaddy.com
    Yes, that's the real problem.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •