'Rapport' Security

joe134

joe134 wrote: »

Thanks Masonic, I posted the log in situation on this thread couple days ago, asked HSBC. You enter IB number on unsecure site, mad.Put this Rapport on, so far so good, picked up on couple of updates, although I have Secunia, Adobe flash.1.See how it goes, thanks again, I,ll check it out

PS, Just gone on HSBC, into secure login page, no certificate on it. Clicked on privacy, Https verified, no cerficate could be found. Probably haven,t got one, hence Rapport;;Wherever it is, it,s hidden

masonic

joe134 wrote: »

PS, Just gone on HSBC, into secure login page, no certificate on it. Clicked on privacy, Https verified, no cerficate could be found. Probably haven,t got one, hence Rapport;;Wherever it is, it,s hidden

It's because only part of the page is https. If you leave the user ID blank and click log on, you go through to a fully secure page with a certificate you can verify. You can then go back and log in normally. It's hardly an acceptable solution, but at least it allows you to check the site's authenticity yourself before logging on.

Staib

masonic wrote: »

Edit: I've just checked HSBC. The page where they ask you to enter your user ID is not secure - therefore you cannot check the site is genuine until after you click submit. Shame on you, HSBC! Almost every other bank gets this right.

Visually I agree that this is not smart - but most banks are inviting you to enter user names and passwords. The data within that user name or 'UserID' field is always encrypted before it is sent to us.

We then present a page from our https servers, where customers enter their security details before checking balances or paying bills etc. As masonic observed, the EV certs are visible in the rest of the secure site.
Cheers,
Nick

ETROL

One piece of software that I use is keepass

It holds all your passwords in an encrypted file
You drag and drop your passwords which are hidden behind acterisks
No need to install it so it will not affect performance of PC
Your passwords can be longer and more complex because you just drag them
It can store a shortcut to the log in page so you always know that you are using a legitimate webpage
Its free

The're webpage
http://keepass.info/

joe134

Staib wrote: »

Visually I agree that this is not smart - but most banks are inviting you to enter user names and passwords. The data within that user name or 'UserID' field is always encrypted before it is sent to us.

We then present a page from our https servers, where customers enter their security details before checking balances or paying bills etc. As masonic observed, the EV certs are visible in the rest of the secure site.
Cheers,
Nick

Hi Nick, thanks for clearing that one up, much appreciated.Always was dubious about entering IB number;where on the secure login page is it?DOB+Pin,Bottom right is security, not there.Just had new Gogs;

joe134

masonic wrote: »

It's because only part of the page is https. If you leave the user ID blank and click log on, you go through to a fully secure page with a certificate you can verify. You can then go back and log in normally. It's hardly an acceptable solution, but at least it allows you to check the site's authenticity yourself before logging on.

Hi Masonic, if only; I must be doing something wrong, you cannot go to a securesite without entering IB number.Dialogue box says so?Maybe Nick can enlighten me, just for peace of mind?

masonic

Staib wrote: »

Visually I agree that this is not smart - but most banks are inviting you to enter user names and passwords. The data within that user name or 'UserID' field is always encrypted before it is sent to us.

We then present a page from our https servers, where customers enter their security details before checking balances or paying bills etc. As masonic observed, the EV certs are visible in the rest of the secure site.
Cheers,
Nick

The issue is not whether or not the data is encrypted, it is that users cannot know in advance whether or not it is going to be encrypted when they click the login button. You are asking your users to enter their user ID on a page that they cannot verify as being secure. They therefore cannot distinguish between the genuine HSBC login page and a phishing site before they enter their user ID. Why don't you encrypt the login page so that users can be sure they are visiting the genuine website? Other banks manage to do that.

masonic

joe134 wrote: »

Hi Masonic, if only; I must be doing something wrong, you cannot go to a securesite without entering IB number.Dialogue box says so?Maybe Nick can enlighten me, just for peace of mind?

Try validating this site, which is secure from the outset: https://www2.banking.firstdirect.com/1/2/

joe134

masonic wrote: »

Try validating this site, which is secure from the outset: https://www2.banking.firstdirect.com/1/2/

Hi, nogo. must be me, clicked bottom right secutity, no entry sign ,brought up page with site details https, is this it?What you have just said to Nicky are my sentiments entirely.I always thought, for years that the IB number was unsecure, as I stated in my earlier post, that leaves DOB+3 From 6 digit pin number, very poor. Now I know IB is encrypted, more at ease. Why is it not like First direct page you just posted.all on 1 secure page.Http means, unsecure.I always have to validate the ib page before I enter IB number,still will, once I get the hang of cert.

masonic

joe134 wrote: »

Hi, nogo. must be me, clicked bottom right secutity, brought up page with site details https, is this it?What you have just said to Nicky are my sentiments entirely.I always thought, for years that the IB number was unsecure, as I stated in my earlier post, that leaves DOB+3 From 6 digit pin number, very poor. Now I know IB is encrypted, more at ease. Why is it not like First direct page you just posted.all on 1 secure page.Http means, unsecure.

This is what I get when I click on the green bit at the left of the address bar...


If you can't do that, you might want to think about upgrading your browser, if only to use for internet banking. If I click More Information, I can go through and view the actual certificate, but all the necessary information is in that window.

What is happening on the HSBC page is that the page asking for the user ID is not secure. However, when you press the log in button, a secure connection is set up before the user ID is transmitted to HSBC. The problem with that is you don't know what is going to happen until after you click the button. Many sites used to do this when servers weren't very powerful and there was a big overhead involved with encrypting pages. Nowadays there really is no excuse - servers should easily be able to handle sites that are entirely encryped and leaving things as HSBC has just makes life difficult for users.

Edit: As an aside, and bringing the thread vaguely back on topic, if I had Rapport installed, I don't think it would have let me take that screenshot because Rapport goes to even greater lengths to prevent any information on the site being eavesdropped.