Last Comment Bug 358858 - Spurious Security warning?
: Spurious Security warning?
Status: RESOLVED INVALID
:
Product: Firefox
Classification: Client Software
Component: Security (show other bugs)
: 2.0 Branch
: PowerPC Mac OS X
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
:
Mentors:
https://www.hanes.com/HanesCommerce/e...
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-30 21:51 PST by Matthew Elvey
Modified: 2007-11-28 01:29 PST (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Matthew Elvey 2006-10-30 21:51:57 PST
https://www.hanes.com/HanesCommerce/en-US/Accounts/Login/?returnURL=https%3a%2f%2fwww.hanes.com%2fHanesCommerce%2fen-US%2fCheckout%2fCheckoutShipping%2f%3fCatalogNavigationBreadCrumbs%3d
has the problem; the page source code has only this form action:

<form name="Login" method="post" action="Login.aspx?NRMODE=Published&amp;NRORIGINALURL=%2fHanesCommerce%2fen-US%2fAccounts%2fLogin%2f%3freturnURL%3dhttps%253a%252f%252fwww%2ehanes%2ecom%252fHanesCommerce%252fen-US%252fAccounts%252fMyAccount%2ehtm&amp;NRNODEGUID=%7b05B43DB9-9A3A-4C66-9BF2-2954AC1D1312%7d&amp;NRCACHEHINT=Guest&amp;returnURL=https%3a%2f%2fwww.hanes.com%2fHanesCommerce%2fen-US%2fCheckout%2fCheckoutShipping%2f%3fCatalogNavigationBreadCrumbs%3d" id="Login">

The page with the form is secure (https://, and the link is relative, so it should be submitting securely, right?  So why is FF2 giving me a warning?

Is FF2 defective, or hanes.com? 

I got this message after entering a (munged) credit card # and clicking to proceed as well! 
The warnings indicate I'm submitting my userid and password and mailing address over an unencrypted connection, and credit card info over an unencrypted connection as well!

Here's Hanes' response and my query:


On 10/20/06 3:42 PM, hanes.customer <hanes.customer@hanes.com> wrote:
> Dear Mr. Elvey,
>   Thank you for bringing this Security Warning to our attention.  We
> have closely monitored our system and show that all of our connection 
> are encrypted for the protection of your privacy. We have our Security 
> team closely monitoring our systems to guarantee the security of our 
> website. We show the only time any message appears is during the page 
> change in the order process.  Is that when you receive this message?  
> Let me assure you any information entered is fully protected.
>     
> Sincerely,
>
> Julie Jenkins
> Consumer Service Manager
>
>
> Original Message Follows:
> ------------------------
> When I try to make a purchase from your site, I get this warning 
> message.:
>
> Security Warning:
> Although this page is encrypted, the information you have entered is to 
> be sent over an unencrypted connection and could easily be read by a 
> third party.Are you sure you want to continue sending this information?
>
> How could you let this happen?  No QA department?  I wonder about your 
> product quality now...
>
>
Comment 1 Jesse Ruderman 2006-10-31 23:19:59 PST
www.hanes.com is broken and Firefox's warning is correct.  The site uses <base href>, which changes the base for relative URLs to be interpreted against, before the form:

  <base href="http://www.hanes.com/Hanes.Commerce.Web/Login.aspx?...
  ...
  <form name="Login" method="post" action="Login.aspx?...

Thus the form actually does submit using http.

Safari and Internet Explorer 7 don't warn only because they don't have a warning specifically for https-to-http submission, as far as I can tell.
Comment 2 Matthew Elvey 2007-11-27 19:39:53 PST
FYI, it "only" took about a year, but Hanes finally got a clue. (That is, a birdie told me they failed a PCI/CISP validation and had to remediate.) 
A belated thanks, BTW, Jesse, for explaining the <base href>, etc.  I pestered Hanes reps on two more occasions - a few weeks and months after seeing your confirmation, and pointed them here, but it didn't get the problem fixed.  Perhaps such companies will pay more attention, now that I have a track record of suing them when they ignore notice of security breaches and flaws (TD Ameritrade is blowing about $50 million dealing with my class action lawsuit, which was brought on by their 18 months+ of inaction in the face of ample notice of an ongoing security breach.)

Note You need to log in before you can comment on or make changes to this bug.