Sometimes fighting good security is harder than embracing it. That appears to be the case with at least one company that went to great lengths to avoid insecure HTTPS browser security warnings from appearing on the thousands of sites it managed.

The company in question is ShopCity.com, a community-based business that gives brick-and-mortar retailers and municipalities a place to hang their shingles online. Recently Troy Hunt, who runs the Have I Been Pwned service, was tipped off to a unique act of security defiance.

ShopCity.com was using “pseudo password fields” to avoid Google Chrome and the Firefox browser from showing “Not Secure” warnings in the URL bars of the sites it managed.

After being tipped off to ShopCity.com’s activities, Hunt did some sleuthing and found sites managed by the company were avoiding HTTPS warning error messages by displaying what amounted to fake login screens.

“Firstly, the browser warnings about an insecure login only fire when there is an input type of ‘password,'” Hunt wrote in a blog post. He points out it might look like a password field, but it is not.

“Ah, it only says ‘Password’, it’s actually just a type of ‘textbox’. There’s a single CSS class on it for some visual styling but once clicking on the field, something magical happens.” That something is a script that runs.

“And now we have a totally new class on the field. Plus, of course, the onclick event on the input box itself sets the placeholder text to an empty string. So what does the class do? It merely changes the font.

“And as you’ve probably guessed by now, that ‘font’ is nothing other than a single disc per character designed to be a visual representation of the real disc you’d normally see when entering text into a proper password field,” Hunt wrote.

In the end, he said, “it’s a pseudo password field designed to fool the user and deny them of the browser’s visual warning designed to protect their password.”

In Hunt’s post on the incident he said he was tipped off by a user considering becoming a ShopCity.com user. The woman told Hunt when she asked ShopCity.com about the lack of security on its sites she was told “SSL is more about Google’s monopolizing visibility of content, and less to do with security.”

HTTPS is key to securing communications between a client and server and thwarting attacks such as the so-called Great Cannon attack. HTTPS is a combination of the HyperText Transfer Protocol (HTTPS) and the Secure Socket Layer (SSL) protocol. Together, HTTPS, encrypts communication sessions between a computer’s a web browser and a web server. The absence of HTTPS leaves that connection between browser and web server vulnerable to sniffing attacks.

For Hunt, the willful ignorance against security isn’t new. He cited an incident when Oil and Gas International was so miffed at an insecure password and login warning displayed on a Firefox browser it filed a bug report demanding the warning be removed.

So, is all this effort worth keeping your HTTPS head in the sand? According ShopCity.com the answer is “no.”

Threatpost spoke to Rob Calvert, network administrator for ShopCity.com, who said he was a bit embarrassed and surprised at the attention Hunt’s critique had brought his company.

“We found out about this when Troy Hunt brought it to our attention,” Calvert said. “The problem traces back to a junior developer who created this workaround to avoid the security warning. We had no idea what he had done.”

Calvert said after Hunt’s exposure, now all sites on ShopCity.com’s platform are displaying the insecure browser warning at the password login screen. He emphasized that only user login’s were insecure and that any transactions conducted with merchants online were facilitated through a PayPal shopping cart that uses HTTPS.

“I agree. It’s absurd to work so hard at making it seem these sites are secure when just using HTTPS is so much easier and safer for users,” Calvert said. “We are currently transitioning our users to HTTPS and we’ll be 100 percent there by the new year.”

Categories: Cryptography, Featured, Privacy, Web Security

Comments (11)

  1. Steve Whitlock
    2

    It’s always blamed on a “Jr Dev”, when we all know this Dev was likely responding to management pressure to remove the warning.

    Reply
  2. Bill Cole
    4

    If it takes them more than a week to fix this, they’re toast. Or at least they should be.
    If they can’t turn everything to HTTPS-only in a week, they are not competent to be doing what they are trying to do.

    Reply
  3. John Bison
    5

    Of course, google and all of their ilk are taking this cause celebre to the people, because, let’s face it, they have no clue. Unless your a network engineer, you have no idea…those who do that I’ve talked to believe that the https thing is a bit overrated as a security paradigm above all others. It is good, and solves security problems that most folks don’t know about (like defeats key loggers intercepting all but auth data). Having said that, the man-in-the-middle scenario that it is being touted for rarely happens, more likely that your ISP won’t be sniffing passwords than the server that you’re connecting to has already been compromised. That’s what law enforcement does, putting their sniffer on the server, why bother cracking ssl/tls. Let’s face it, the real supporters of SSL for every site are the commercial interests who want to block your web surfing from your employer, so that you can use facebook or let Google tap your data without those nasty network admins trying to manage content. Just saying…

    Reply
  4. Bill Cole
    7

    In a word: wrong.
    If a site does not use HTTPS, its traffic can be intercepted by anyone on the same LAN as the server or the client. Using the same cafe WiFi as others? They can capture everything you do. That means they can impersonate you to whatever sites you access that don’t use HTTPS.
    And on the other end, you cannot know what other entities are the same LAN or even the same IP address of the site you’re talking to. for ShopCity.com, it’s a metric buttload of other name-based virtual hosts on one IP: any of those might be under the control of a bad actor.

    Failure to deploy HTTPS-only for websites is a solid indication of the webmaster being incompetent or grotesquely lazy. No one who still runs a port 80 web listener that does anything other than redirect clients to HTTPS on port 443 is broadcasting their inadequacy for their job.

    Reply
    • Bill Cole
      8

      Ugh, misworded. Last sentence should be:

      Anyone who still runs a port 80 web listener that does anything other than redirect clients to HTTPS on port 443 is broadcasting their inadequacy for their job

      Reply
  5. Dave
    10

    The “junior dev” excuse needs to stop. How did a junior dev get such a change into production with no oversight without the more senior devs being incompetent or, in fact, the entire company being a shambles?

    Reply
  6. Mark
    11

    Would love to see their change management processes….Oh and the only insecure part is the login….let’s forget about the whole thing then 🙂

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>