We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
How can HTTP be Secure?
Paul_Varjak
Posts: 4,627 Forumite
in Techie Stuff
I am signed up with My Bills Online for paperless billing with my water company.
The log-in page for My Bills Online is an insecure HTTP webpage, with no apparent HTTPS option.
I have been in contact with My Bills Online and my water company who both claim that although My Bills Online does not use a secure HTTPS web page, my log-in credentials are still transmitted securely!!!
How can this be so?
Strangely, the other web pages on the web site are HTTPS secured - it is only the log-in page which is not!
The log-in page for My Bills Online is an insecure HTTP webpage, with no apparent HTTPS option.
I have been in contact with My Bills Online and my water company who both claim that although My Bills Online does not use a secure HTTPS web page, my log-in credentials are still transmitted securely!!!
How can this be so?
Strangely, the other web pages on the web site are HTTPS secured - it is only the log-in page which is not!
0
Comments
-
But I don't really want people being able to log into my account full stop! Surely, my log-in credentials could be stolen if log-in is not via a secure page?
Every other page on the site is secure (including the ABOUT US pages), so why not the log-in page?
The strange thing is that the log-in page used to be HTTPS, but no longer is!0 -
Seems to be fine - https://service.onevu.co.uk/MyBillsOnline/Dispatcher0
-
HTTP is not secure, but as far as HTTPS is concerned it is more or less secure, my bookies has a http page, but it send me to https when I click login....Having said that some sites use java/java script on your pc to facilitate this, and then hey who knows.4.8kWp 12x400W Longhi 9.6 kWh battery Giv-hy 5.0 Inverter, WSW facing Essex . Aint no sunshine ☀️ Octopus gas fixed dec 24 @ 5.74 tracker again+ Octopus Intelligent Flux leccy0
-
Paul_Varjak wrote: »But I don't really want people being able to log into my account full stop! Surely, my log-in credentials could be stolen if log-in is not via a secure page?
Very few hackers will want to steal your water bill.0 -
The landing page can be downloaded through http but the send portion is HTTPS, the login page is fine but very misleading, I would describe it as bad practice (as it confuses people) but not actually insecure.
HTTP is naturally stateless, it doesn't naturally know about your previous connections to the site, and does not naturally maintain connections. Its just a transport method it only applies when you are sending of receiving data.0 -
RobTang...
That is the argument used by My Bills Online. However, being an insecure download, means there is no certificate validation possible and surely there is the possibility of code injection as the landing page leaves the My Bills Online server? That code could, conceivably, extract log-on details from the web page before it is even transmitted over the internet. Code injection on an HTTPS page is well-nigh on impossible I believe but fairly simple on an HTTP page.
The strange thing is that the log-0in page did use to be a secure page and all the other pages on the site (even the About Us page) are HTTPS secure, but the very page you would expect to be secure is not!0 -
scheming_gypsy wrote: »Very few hackers will want to steal your water bill.
My Bills Online is not just a service for water companies. If someone can grab a couple of bills from different companies, he is well on his way to stealing your identity!0 -
Seems to be fine - https://service.onevu.co.uk/MyBillsOnline/Dispatcher
Yes, this is their old page and it still works. Strange they have dropped HTTPS from the new log-in page!0 -
Paul_Varjak wrote: »RobTang...
That is the argument used by My Bills Online. However, being an insecure download, means there is no certificate validation possible and surely there is the possibility of code injection as the landing page leaves the My Bills Online server? That code could, conceivably, extract log-on details from the web page before it is even transmitted over the internet. Code injection on an HTTPS page is well-nigh on impossible I believe but fairly simple on an HTTP page.
The strange thing is that the log-0in page did use to be a secure page and all the other pages on the site (even the About Us page) are HTTPS secure, but the very page you would expect to be secure is not!
You could spike the original request and redirect in a man in the middle request, your suspectable to it anyway if you dont explictly goto the https address. Phishing attacks do tend to work quite well.
Code injection for man in the middle almost never happends, they would just redirect you to their own page then they can do whever they want.
Normal code injection makes use of vulerabilities in the site itself, https wont help you there as real server will be compromised this is by far more common.
I would not say a man in the middle attack is simple (on http) or that https is impossible, personally I reckon a good proportion would accept the cert error anyway on https.
Im not condoning what they do however, it is an attack vector. just goto the https link and be happy.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.1K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.2K Work, Benefits & Business
- 600.9K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards