Balder
Member of DD Central
Posts: 641
Likes: 614
|
Post by Balder on Sept 1, 2019 15:49:02 GMT
For me is shows a lack of attention to detail - which then make me wonder what else is wrong/missed.
|
|
mrk
Posts: 807
Likes: 753
|
Post by mrk on Sept 1, 2019 16:31:06 GMT
It's not advised either way for a financial service site. Without SSL the traffic could be recorded, credentials harvested and passwords identified and possibly cracked. The fact that some or all parts of their site also answer to http on port 80 is a separate issue but I would doubt very much any of the secure parts of the site (i.e. post login) are available like that and if so I would not class the site as being fundamentally insecure although best practice these days is to secure the whole site. The login page is very much available as plain http, including posting the credentials. So much so that somebody in this thread suggested doing exactly that (switching to http) to work around the certificate warning. Here's proof: (I didn't post my real password obviously.) Not redirecting every request to that domain to be https is just incompetent. Technically you are of course correct that the traffic is encrypted even if the certificate is expired, and adding an exception is certainly a lot better than switching to http. But as a policy I would argue we should never encourage users to accept invalid certificates. The solution to this problem is simple and obvious: Ablrate need to fix their certificate. I don't see why we should even suggest workarounds.
|
|
michaelc
Member of DD Central
Posts: 4,844
Likes: 2,758
|
Post by michaelc on Sept 1, 2019 18:03:21 GMT
The fact that some or all parts of their site also answer to http on port 80 is a separate issue but I would doubt very much any of the secure parts of the site (i.e. post login) are available like that and if so I would not class the site as being fundamentally insecure although best practice these days is to secure the whole site. The login page is very much available as plain http, including posting the credentials. So much so that somebody in this thread suggested doing exactly that (switching to http) to work around the certificate warning. Here's proof: (I didn't post my real password obviously.) Not redirecting every request to that domain to be https is just incompetent. Technically you are of course correct that the traffic is encrypted even if the certificate is expired, and adding an exception is certainly a lot better than switching to http. But as a policy I would argue we should never encourage users to accept invalid certificates. The solution to this problem is simple and obvious: Ablrate need to fix their certificate. I don't see why we should even suggest workarounds. Jeezus you're right ! I did my own tests with Chrome and third party sniffer (just what I'm more familar with) but I needn't have bothered. As you say the entire site can be accessed including the login area unencrypted. That is totally unacceptable and I say that as someone with 21 years experience working as a systems and software engineer at one of the world's largest network and security companies. They don't need a certificate to prevent access. They should shut down the site until that issue is rectified.
|
|
iRobot
Member of DD Central
Posts: 1,656
Likes: 2,449
|
Post by iRobot on Sept 1, 2019 19:05:08 GMT
Do you not have a 'Details' link which reveals, errrr, some details but also includes: Go on to the webpage (Not recommended)(Don't know why the 'Not recommended' isn't in red, but there you go... )Thank you but there is no option to go on to the webpage. This is using Edge with Windows 10 on a PC. If I use IE then there is that option, and that is what I am doing. Edge in Windows 10 is going to be widely used by the average p2p lender, making this a serious loss of access to the site. Same fundamental setup here, but certainly there are enough subtleties to a configuration that can alter how things are displayed. FWIW, I get this: And just by way of an FYI, figures can vary slightly, but using the data here as a commonplace example, Edge accounts for typically under 5% of the browser 'market'.
|
|
p2pfan
Member of DD Central
Full-Time Investor
Posts: 738
Likes: 821
|
Post by p2pfan on Sept 1, 2019 21:24:23 GMT
Thanks.
Still showing as "Not secure" in all my browsers.
Hopefully this will be fixed tomorrow, with whoever-is-responsible being back at work.
I had confidence in Ablrate, but this mishap and then how long it has taken to fix has shaken that.
|
|
blender
Member of DD Central
Posts: 5,719
Likes: 4,272
|
Post by blender on Sept 1, 2019 22:12:17 GMT
Thank you but there is no option to go on to the webpage. This is using Edge with Windows 10 on a PC. If I use IE then there is that option, and that is what I am doing. Edge in Windows 10 is going to be widely used by the average p2p lender, making this a serious loss of access to the site. Same fundamental setup here, but certainly there are enough subtleties to a configuration that can alter how things are displayed. FWIW, I get this: And just by way of an FYI, figures can vary slightly, but using the data here as a commonplace example, Edge accounts for typically under 5% of the browser 'market'. Thanks iRobot. I was using a desktop shortcut and it would not give the 'go on to the webpage' part, just the details of the error. But I have set it up again and now it does - odd, same address. There is magic here beyond me. So people can get in if they ignore the dire warning.
|
|
|
Post by ablrate on Sept 2, 2019 8:37:59 GMT
For me is shows a lack of attention to detail - which then make me wonder what else is wrong/missed. ..... tech sometimes goes wrong, Natwest/national grid etc etc etc The certificate was issued for multiple years, but expired because of something to do with our security upgrade from Rackspace to Google Cloud. We are on with the cert provider now, sorting it
|
|
thedog
Member of DD Central
Posts: 105
Likes: 111
|
Post by thedog on Sept 2, 2019 8:53:18 GMT
True and I've got some sympathy.
Given how much they've been criticised I'm not sure NatWest and NG would be my go-to comparisons though!
|
|
hantsowl
Member of DD Central
Posts: 672
Likes: 546
|
Post by hantsowl on Sept 2, 2019 9:18:16 GMT
ablrate If this certificate issue is not sorted out this morning, will the launch of 1000131 be postponed?
|
|
|
Post by ablrate on Sept 2, 2019 9:21:36 GMT
True and I've got some sympathy.
Given how much they've been criticised I'm not sure NatWest and NG would be my go-to comparisons though!
it was an example... as I spent two days last week not able to log on to banking.. so I know how frustrating it can be
|
|
|
Post by ablrate on Sept 2, 2019 10:09:20 GMT
ablrate If this certificate issue is not sorted out this morning, will the launch of 1000131 be postponed? Yes - an update has been sent
|
|
|
Post by ablrate on Sept 2, 2019 11:02:30 GMT
The site is back up. The issue was with the multiple year renewal being purchased through a third party which we no longer use (the old server provider). We cancelled the old certificate and have repurchased a multiple year certificate and reinstalled.
Sorry for the inconvenience
|
|
michaelc
Member of DD Central
Posts: 4,844
Likes: 2,758
|
Post by michaelc on Sept 2, 2019 12:39:02 GMT
But I see it is still possible to access the site via unencrypted http? i.e. login, transfer funds, etc all unencrypted?
|
|
|
Post by ablrate on Sept 2, 2019 13:07:54 GMT
If you explicitly type that in yes... we are aware and are fixing
|
|
|
Post by ablrate on Sept 2, 2019 14:56:54 GMT
But I see it is still possible to access the site via unencrypted http? i.e. login, transfer funds, etc all unencrypted? That is now fixed
|
|