The default bug view has changed. See this FAQ.

Spurious Security warning?

RESOLVED INVALID

Status

()

Firefox
Security
RESOLVED INVALID
11 years ago
10 years ago

People

(Reporter: Matthew Elvey, Unassigned)

Tracking

2.0 Branch
PowerPC
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

11 years ago
https://www.hanes.com/HanesCommerce/en-US/Accounts/Login/?returnURL=https%3a%2f%2fwww.hanes.com%2fHanesCommerce%2fen-US%2fCheckout%2fCheckoutShipping%2f%3fCatalogNavigationBreadCrumbs%3d
has the problem; the page source code has only this form action:

<form name="Login" method="post" action="Login.aspx?NRMODE=Published&amp;NRORIGINALURL=%2fHanesCommerce%2fen-US%2fAccounts%2fLogin%2f%3freturnURL%3dhttps%253a%252f%252fwww%2ehanes%2ecom%252fHanesCommerce%252fen-US%252fAccounts%252fMyAccount%2ehtm&amp;NRNODEGUID=%7b05B43DB9-9A3A-4C66-9BF2-2954AC1D1312%7d&amp;NRCACHEHINT=Guest&amp;returnURL=https%3a%2f%2fwww.hanes.com%2fHanesCommerce%2fen-US%2fCheckout%2fCheckoutShipping%2f%3fCatalogNavigationBreadCrumbs%3d" id="Login">

The page with the form is secure (https://, and the link is relative, so it should be submitting securely, right?  So why is FF2 giving me a warning?

Is FF2 defective, or hanes.com? 

I got this message after entering a (munged) credit card # and clicking to proceed as well! 
The warnings indicate I'm submitting my userid and password and mailing address over an unencrypted connection, and credit card info over an unencrypted connection as well!

Here's Hanes' response and my query:


On 10/20/06 3:42 PM, hanes.customer <hanes.customer@hanes.com> wrote:
> Dear Mr. Elvey,
>   Thank you for bringing this Security Warning to our attention.  We
> have closely monitored our system and show that all of our connection 
> are encrypted for the protection of your privacy. We have our Security 
> team closely monitoring our systems to guarantee the security of our 
> website. We show the only time any message appears is during the page 
> change in the order process.  Is that when you receive this message?  
> Let me assure you any information entered is fully protected.
>     
> Sincerely,
>
> Julie Jenkins
> Consumer Service Manager
>
>
> Original Message Follows:
> ------------------------
> When I try to make a purchase from your site, I get this warning 
> message.:
>
> Security Warning:
> Although this page is encrypted, the information you have entered is to 
> be sent over an unencrypted connection and could easily be read by a 
> third party.Are you sure you want to continue sending this information?
>
> How could you let this happen?  No QA department?  I wonder about your 
> product quality now...
>
>

Comment 1

11 years ago
www.hanes.com is broken and Firefox's warning is correct.  The site uses <base href>, which changes the base for relative URLs to be interpreted against, before the form:

  <base href="http://www.hanes.com/Hanes.Commerce.Web/Login.aspx?...
  ...
  <form name="Login" method="post" action="Login.aspx?...

Thus the form actually does submit using http.

Safari and Internet Explorer 7 don't warn only because they don't have a warning specifically for https-to-http submission, as far as I can tell.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → INVALID
(Reporter)

Comment 2

10 years ago
FYI, it "only" took about a year, but Hanes finally got a clue. (That is, a birdie told me they failed a PCI/CISP validation and had to remediate.) 
A belated thanks, BTW, Jesse, for explaining the <base href>, etc.  I pestered Hanes reps on two more occasions - a few weeks and months after seeing your confirmation, and pointed them here, but it didn't get the problem fixed.  Perhaps such companies will pay more attention, now that I have a track record of suing them when they ignore notice of security breaches and flaws (TD Ameritrade is blowing about $50 million dealing with my class action lawsuit, which was brought on by their 18 months+ of inaction in the face of ample notice of an ongoing security breach.)
You need to log in before you can comment on or make changes to this bug.