|
|
Post by dodgeydave on Oct 13, 2016 0:43:27 GMT
 Tried to log in this morning. Not looking good
|
|
Bagman
Member of DD Central
Posts: 209 
Likes: 131
|
Post by Bagman on Oct 13, 2016 1:05:05 GMT
And here as well..
Shield icon
There is a problem with this website’s security certificate.
The security certificate presented by this website has expired or is not yet valid.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Recommended iconClick here to close this webpage.
Not recommended iconContinue to this website (not recommended).
More information More information
•If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
•When going to a website with an address such as example.com, try adding the 'www' to the address, www.example.com.
For more information, see "Certificate Errors" in Internet Explorer Help.
|
|
|
|
Post by moonshine on Oct 13, 2016 1:12:41 GMT
Their security certificate expired at 1am. They need to renew it.
|
|
beechside
Member of DD Central
Posts: 152
Likes: 197
|
Post by beechside on Oct 13, 2016 1:40:41 GMT
Oh dear. Given that this is a genuine expiry, we can be pretty certain that there is nothing untoward. When a certificate expires, data sent from your browser, including userid and password are still encrypted so your session is safe. Had the certificate not expired, we could potentially have a physical or virtual breach, perhaps the SSL port might have been closed or the server compromised but this is extremely unlikely in this case. If you are ultra paranoid, simply don't sign on for the next couple of days. I used to work in computer security and had ethical hackers work for my company so I'm pretty familiar with the issues. Personally, I won't be signing on because there's a one in a million chance that a malicious attack could be timed with certificate expiry date. Very, very remote but theoretically possible. By the way, savingstream , your domain name registration expires in less than a month as well. I wouldn't leave it this late and I don't think you should either. Given that you've taken your eye of the ball with the security certificate, I just hope you've locked your domain and have the renewal in hand. It typically takes two to three days to renew a certificate, since there are checks so there will probably be a lot of concern. I did some research for the EU on perceptions of trust on the web and certificate expiry was a near certain killer of business where punters had a choice to go elsewhere. Trouble is, if you have funds in SS, you can't elect to go to a different site. |
|
upland
Member of DD Central
Posts: 479
Likes: 175
|
Post by upland on Oct 13, 2016 5:39:53 GMT
Me too. Fails on Firefox and Chrome.
|
|
skippyonspeed
Some people think I'm a little bit crazy, but I know my mind's not hazy
Posts: 787
Likes: 424
|
Post by skippyonspeed on Oct 13, 2016 5:57:13 GMT
"The owner of savingstream.co.uk has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site."
I got the above message
Edit: Was Ok @ 1:30am as I had to do a bit of fff 'cos of pbl129 rubbish
|
|
lofty
Posts: 101
Likes: 104
|
Post by lofty on Oct 13, 2016 6:12:57 GMT
Oh dear. Given that this is a genuine expiry, we can be pretty certain that there is nothing untoward. When a certificate expires, the data, including userid and password are still encrypted so your session is safe. Had the certificate not expired, we could potentially have a physical or virtual breach, perhaps the SSL port might have been closed or the server compromised but this is extremely unlikely in this case. If you are ultra paranoid, simply don't sign on for the next couple of days. I used to work in computer security and had ethical hackers work for my company so I'm pretty familiar with the issues. Personally, I won't be signing on because there's a one in a million chance that a malicious attack could be timed with certificate expiry date. Very, very remote but theoretically possible. By the way, savingstream , your domain name registration expires in less than a month as well. I wouldn't leave it this late and I don't think you should as well. Given that you've taken your eye of the ball with the security certificate, I just hope you've locked your domain and have the renewal in hand. It typically takes two to three days to renew a certificate, since there are checks so there will probably be a lot of concern. I did some research for the EU on perceptions of trust on the web and certificate expiry was a near certain killer of business where punters had a choice to go elsewhere. Trouble is, if you have funds in SS, you can't elect to go to a different site. Likewise I've some experience in dealing with website security. We hired in a security team to validate our site as consumer confidence was of prime concern. Something like this would probably have got one of our engineers the sack (although in real life its nearly always someone in accounts who's failed to get a purchase invoice dealt with one on time!) This is going to look ameturish to anyone trying to log in this morning, and wouldn't encourage people to return to this site. There's also a lot of money in play here, and data security breaches now carry business crippling fines and so I seriously hope savingsteam get this sorted immediately. Firstly I would be sending out a grovelling and consumer calming email (skip the morning coffee and doughnuts) - get it sent! After this is resolved I would also recommend forcing everyone ro reset their password - agreed its only a small chance of a breach before this is resolved and probably not many people will access the site during this time - but it does close one small hole. In the light of this it does make me slightly concerned how much resource they are putting into their IT systems - they clearly have some as evidenced by recent tweaks for the flexible rates, but I wonder if they've ever scheduled (or even aware of) any penetration testing - I know a lot of ethical hacking techniques and would be tempted to have a go myself - but won't - the jails are already over populated! 
|
|
|
|
Post by Deleted on Oct 13, 2016 6:56:04 GMT
Right, that is me off the site for the coming week.
Given Turner's supporting remarks of the week what a shame that SS should let itself down today.
|
|
Tony
Posts: 51
Likes: 36
|
Post by Tony on Oct 13, 2016 7:04:51 GMT
Awful performance for a finance based company
Someone's gonna get sacked this morning
|
|
beechside
Member of DD Central
Posts: 152
Likes: 197
|
Post by beechside on Oct 13, 2016 7:13:06 GMT
There is no suggestion or evidence that data on SS's servers have been compromised. That's a different issue completely. However, certificate expiry is a weakness and, were I a hacker, I'd look for weaknesses in systems and procedures as evidence of potential. Anybody use the same passwords on other P2P sites?. Don't, just don't.
|
|
sl75
Posts: 2,092
Likes: 1,245
|
Post by sl75 on Oct 13, 2016 7:27:53 GMT
After this is resolved I would also recommend forcing everyone ro reset their password - agreed its only a small chance of a breach before this is resolved and probably not many people will access the site during this time - but it does close one small hole. Maybe I'm being thick, but how does use of a security certificate a day after its expiry in any way allow hackers more access to passwords than at any other time? The connection is still secure, it's merely that your browser has a very black and white view of "validity" of a certificate for which it requires an explicit user security exception... (no warning during the last few days before expiry, and no grace period for an only-just-expired certificate before throwing up a big scary security warning that looks superficially similar to a genuine security compromise). Edit: AIUI, the main reason for the security warning is that some websites might not take as much care over securing their backups as the "live" website, and so a hacker might possibly have acquired an expired security certificate from an old long-forgotten backup... however, this would usually result in a certificate that has expired by a much longer time. Clearly in such an instance the site has taken so little care over sensitive data that one should also change any passwords and security codes associated with the site, but that's an entirely difference scenario than having a secure connection to the genuine website at a time when an administrative c***-up has resulted in the certificate expiring before it has been replaced.
|
|
|
|
Post by geraldine1210 on Oct 13, 2016 7:43:02 GMT
Sorry to be thick, but do we just keep trying periodically until the warning doesn't show?
|
|
beechside
Member of DD Central
Posts: 152
Likes: 197
|
Post by beechside on Oct 13, 2016 7:54:31 GMT
After this is resolved I would also recommend forcing everyone ro reset their password - agreed its only a small chance of a breach before this is resolved and probably not many people will access the site during this time - but it does close one small hole. Maybe I'm being thick, but how does use of a security certificate a day after its expiry in any way allow hackers more access to passwords than at any other time? No, you're not being thick at all. However, modern hacking is not what it once was where bots simply scanned ports, injected malicious messages, looked for buffer overflow and software weaknesses in thousands of sites. I used to run the development shop for a large ISP and we were targeted all the time. The modern hacker is picky and looks for soft targets that are lucrative. It's easy to find out when a security certificate expires and I might just use that as a smoke screen. Is SS such a site? Let me give an example of how it might be to get money, should a breach be made. I get your password (no suggestion that it's happening now) I pay a pound into your account from my bank account (would you notice?) My bank account gets associated with your SS account I sell your loan parts in a highly liquid market I withdraw to my bank account and disappear Yes, there are checks, manual interventions, notification emails etc but manual == insecure. The rewards might be massive... So, does two-step verification help? Yes it does and I have it on my account. Not perfect but it adds an element of physical security (the location and ownership of my phone, as well as its own security).
|
|
|
|
Post by savingstream on Oct 13, 2016 7:54:46 GMT
 Looks like a Rackspace error.
|
|
sl75
Posts: 2,092
Likes: 1,245
|
Post by sl75 on Oct 13, 2016 7:57:30 GMT
Does having two step verification turned on lessen the risk of any hack? If you've already supplied your username and password to a hacker, the 2-step verification will mean they'll also need either to guess the right 6 digit number, or to persuade you to give it to them... but for a "man in the middle" attack the hackers need only echo the verification page back to you so you think you're still connected directly to the main site. The main thing is to CHECK the certificate and ensure that the only reason your browser is refusing to verify it is that it has expired but that it is otherwise valid... and to do this BEFORE entering the username and password. For those who are not confident about how to check this, the best advice is not to log on until the problem is fixed (may be today if they've already got a new certificate but simply not installed it on the servers yet, or may be some time next week if they completely dropped the ball need to order a new one from scratch [savingstream post just before mine suggests that their provider claimed they'd installed a new certificate a week ago]). Edit: savingstream - not familiar with rackspace or with typical end-user experience of installing a security certificate, but maybe there are two separate actions - "installed" and "configured to use"? Maybe you need to do the latter from somewhere in a control panel?
|
|
