Loading Profile...
Login page not encrypted. Password sent in clear text.
I know our Get Satisfaction account doesn't need bank-level security, but you could at least get a cheap SSL certificate so that our login credentials can't be sniffed. Many people use the same email/password for many website accounts, so it can be a bigger problem than you think.
I know that OpenID support kinda solves this problem, but the people not using OpenID are probably the people who don't know much about web security.
(Ironically, I've seen people report this same problem on other products, but not here)
I know that OpenID support kinda solves this problem, but the people not using OpenID are probably the people who don't know much about web security.
(Ironically, I've seen people report this same problem on other products, but not here)
I’m disappointed
16
people have this problem
I have this problem, too!
Tell me when someone solves it.
The more people who report this problem, the more it gets noticed.
The more people who report this problem, the more it gets noticed.
The company marked this problem solved.
-
Inappropriate?SSL support will be rolled out in the in about a month from now. We've tried to keep our Ops issues to a minimum, (or some would say, we've neglected Ops issues in the past), and having SSL support was one of the failures coming out of that.
Sorry about not having it before now.
1 person says
this solves the problem
-
Inappropriate?Forgot to update this topic. We've been using an SSL login for about 4 months now.
-Scott -
Inappropriate?Is there a plan I our company and upgrade to to get the secure functionality. I just tested and can see my username and password sent over the wire insecure. We would love to deploy your product more widely but our security policies will prevent us from doing so until then.
I’m anxious
-
Inappropriate?Hi, Robert. We do have an SSL-encrypted Feedback Widget. Some of those details go over my head, but I can get someone here to provide more details. Is that what you're looking for -- security in a widget?
-
Inappropriate?I'm looking for https to be enforced when I or any other Credit.com employee logs in through http://getsatisfaction.com/login
Here is a sample http header you can show your developers:
11:16:50.972[4127ms][total 4127ms] Status: 200[OK]
POST http://getsatisfaction.com/login Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Content Size[4] Mime Type[text/javascript]
Request Headers:
Host[getsatisfaction.com]
User-Agent[Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.13) Gecko/2009080315 Ubuntu/9.04 (jaunty) Firefox/3.0.13]
Accept[text/javascript, text/html, application/xml, text/xml, */*]
Accept-Language[en-us,en;q=0.5]
Accept-Encoding[gzip,deflate]
Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7]
Keep-Alive[300]
Connection[keep-alive]
X-Requested-With[XMLHttpRequest]
X-Prototype-Version[1.6.0.1]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
Referer[http://getsatisfaction.com/getsatisfa...]
Content-Length[57]
Cookie[uuid=85b52348-ac77-11de-b098-00151748936a; __utma=149573664.811607677.1254174172.1254444630.1254506899.10; __utmz=149573664.1254506899.10.7.utmcsr=new_topic|utmccn=(not%20set)|utmcmd=email|utmcct=profile_link; __qca=P0-695888070-1254174172128; product_history=%5B%5B%22/creditcom/products/creditcom_credit_report_card%22%2C%22Credit%20Report%20Card%22%5D%5D; _sfn_session=BAh7BzoQZnJvbV9nb29nbGVGIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%0AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--605ca01d56f613dcc64b7fbddbfc759553ef65a0; __utmc=149573664; __utmb=149573664.8.10.1254506899; company_history=%5B%5B%22http%3A//getsatisfaction.com/getsatisfaction%22%2C%22Get%20Satisfaction%22%5D%2C%5B%22http%3A//getsatisfaction.com/creditcom%22%2C%22credit.com%22%5D%5D; login_trackback=http%3A//getsatisfaction.com/getsatisfaction/topics/login_page_not_encrypted_password_sent_in_clear_text]
Pragma[no-cache]
Cache-Control[no-cache]
Post Data:
email[Changed]
password[Changed]
commit[Login]
Response Headers:
Connection[close]
Date[Fri, 02 Oct 2009 18:13:40 GMT]
Set-Cookie[avatar_url=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
avatar_url=%2Fimages%2Fuser_default_medium.png; domain=.getsatisfaction.com; path=/
token_hash=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
token_hash=399038c93da95d6d7a58f056b10ad7c97945b18e; domain=.getsatisfaction.com; path=/
canonical_name=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
canonical_name=robert_peters; domain=.getsatisfaction.com; path=/
use_real_name=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
use_real_name=false; domain=.getsatisfaction.com; path=/
user_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
user_id=753436; domain=.getsatisfaction.com; path=/
token_issue_date=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
token_issue_date=1254507221; domain=.getsatisfaction.com; path=/
user_name=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
user_name=Robert+Peters; domain=.getsatisfaction.com; path=/
user_nick=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
user_nick=Robert+Peters; domain=.getsatisfaction.com; path=/
_sfn_session=BAh7CDoQZnJvbV9nb29nbGVGIg1mYXN0cGFzczAiCmZsYXNoSUM6J0FjdGlv%0AbkNvbnRyb2xsZXI6OkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA%3D--72449fa3c5adaa58d5db86ebc48c5519c23247e1; domain=.getsatisfaction.com; path=/]
Status[200 OK]
Etag["b326b5062b2f0e69046810717534cb09"]
X-Runtime[0.03014]
Content-Type[text/javascript; charset=utf-8]
Content-Length[4]
Server[Mongrel 1.1.5]
Cache-Control[private, max-age=0, must-revalidate]
Accept-Ranges[none] -
Inappropriate?Is there are update on this issue?
-
Inappropriate?It's not enough just to provide a HTTPS login option; we need to be able to *require* employees to securely log in.
I suspect many other companies in the financial space have similar requirements. -
CHAMP
EMPLOYEE
