It would appear that SSL is NOT turned on for logins or password selection on the new US Airways web site. Can anyone confirm if this is true?

It would appear that SSL is NOT turned on for logins or password selection on the new US Airways web site. Can anyone confirm if this is true?

I asked tech support about this a few days ago and they advised me that SSL is only used when one's credit card information is involved. I do NOT have SSL (https://) for logging in, My Account Summary, View My Miles, Manage Reservations, Update My Account, etc. The only SSL I see is under Update My Account, then Payment Options! This makes me nervous. Anyone else nervous?

I have already made the decision I am not booking anything on this website until they fix the problems.

If they are only using SSL for credit cards, then this is a BIG problem. If I can get your account password, then I can steal your frequent flyer miles!

I have already made the decision I am not booking anything on this website until they fix the problems.

I think I will either book via the phone number if they wave the $5.00 fee or my company would prefer me to use our internal website... Think I will do option B.. since the 500 miles are not worth it :)

FYI--I sent the following note to usairways.com tech support:

I do NOT have SSL (https://) for:
1. Logging In
1. My Account Summary
3. View My Miles
4. Manage Reservations
5. Update My Account

The only SSL section I have noted is under Payment Options in the Update My Account section. Shouldn't ALL of these sections containing the login and other personal information have SSL encryption?

I will let you know the reply.

Jeez, now they're trying to save money on SSL certs. :rolleyes:

Jeez, now they're trying to save money on SSL certs. :rolleyes:

Wowww. Ever since last Monday, I have stayed completely away from the US site. I figured I would give it 2 weeks to get straightened out. But, this issue sounds kind of major to me. I just logged onto 3 other carriers and all FF information is SSL protected.

I too e-mailed tech support for US Airways. It is beyond me as to why all pages where you have to enter data is not SSL. I also sent the same e-mail to the Chairman's desk...just to see what they have to say about it. :(

<< just received this auto-response from USAirways - "Thank you for contacting US Airways by email. US Airways responds to messages seven days per week usually within 5-7 business days". If it took me 5-7 business days to respond to my customers my business would be closed in 5-7 business days!! >>

<< just received this auto-response from USAirways - "Thank you for contacting US Airways by email. US Airways responds to messages seven days per week usually within 5-7 business days". If it took me 5-7 business days to respond to my customers my business would be closed in 5-7 business days!! >>

With the launch of the new website, this automated response originally said 24-48 hours. I guess they are getting inundated.

Limiting the use of SSL reduces server load, as the encryption takes a lot of CPU power.

For what it's worth, the transport layer (which SSL covers) is probably the least likely place for your information to be stolen. Someone would have to be sniffing traffic on one of the routers between you and US's server, and would have to pick out your data from the billions of other bytes flying around.

Most stolen information is done either by spyware on your PC, or by a break-in to the destination server. The usual metaphor for SSL is that it's an armored car delivering between two cardboard boxes. :D

There was a really interesting piece on NPR this morning about the ease with which identity theves can ply their trade by picking information off of discarded boarding passes. The reporter found a BA BP left in a seat and had a hacker go to work. Was able to hack into the person's FF account and could have altered the user profile. Also was able to get a massive amount of additional personal information by extending the hacked information into addtional database searches on the web. The moral of the story is that we might be better served by worrying about how we dispose of those used BPs (if you don't hang on th them to validate your miles)...

The moral of the story is that we might be better served by worrying about how we dispose of those used BPs (if you don't hang on th them to validate your miles)...

I don't throw away anything with my name or important numbers on it. That's what a home shredder is for.

As for SSL, it is true that encryption creates a heavier server load. But that's where SSL accelerators are useful (a hardware solution to relieve the database/web server of the encryption task).

With the IDs and passwords being sent back and forth in the clear, anyone sniffing the web traffic can get the info very easily. Indeed, this is very serious and the IT people implementing this should be fired (never mind the rest of the clusterf's that have already occured with the site).

Limiting the use of SSL reduces server load, as the encryption takes a lot of CPU power.

For what it's worth, the transport layer (which SSL covers) is probably the least likely place for your information to be stolen. Someone would have to be sniffing traffic on one of the routers between you and US's server, and would have to pick out your data from the billions of other bytes flying around.

Most stolen information is done either by spyware on your PC, or by a break-in to the destination server. The usual metaphor for SSL is that it's an armored car delivering between two cardboard boxes. :D

It certainly is true that spyware or a break-in on the server is much more likely to cause a problem if you are using landline connections (such as a cable modem from home or a T1 connection at the office or dial-up). That kind of sniffing or breaking into a router is relatively unlikely.

However, the userid and password to a travel website is particularly likely to be used in places like a hotel over unencrypted wireless 802.11 or at an airport over unencrypted wireless, and those are places where people might be very interested in sniffing for usernames and password, and it wouldn't be hard, since it is wireless in public areas.

I actually discovered the problem while trying to login to usairways.com in a hotel over wireless! Needless to say, I did NOT complete the login transaction. That is an environment that is particularly dangerous for sniffing.

I highly recommend RoboForm (I actually use the USB version called Pass2Go). It enters your passwords without typing them thus guarding against keystroke loggers (spyware). Makes filling out forms superfast too.

Okay, you got me there. They should use SSL for the login submission, at least, even if the rest of the site isn't SSL.

I just think that the site areas that contain my login ID, my password, my account number, my name, my address, my telephone number, and other personal information should be SSL encrypted. That should not be too much to ask.

And I do shred my boarding passes and all other mail I receive with my personal information.

I just noticed that the Dividend Miles section of the website ("My Account" etc) is now HTTPS. Did this happen recently?

If it is new, the protection is somewhat pointless since the log in process continues to be unencrypted.

I just noticed that the Dividend Miles section of the website ("My Account" etc) is now HTTPS. Did this happen recently?

If it is new, the protection is somewhat pointless since the log in process continues to be unencrypted.
:D Brought to you by those wonderful internal IT resources. Kind of like locking the windows to your house but leaving the front door wide open. :rolleyes:

They are not doing an ssl postback. Their javascript is pretty well obfuscated, so it's hard to tell, but I sniffed the traffic and it's all http. That's pretty dumb. BTW, if anyone looks at the javascript, I'd like to make it very clear that I am not the Nick Murphy whose name appears in all the contents. I'd use https.

BTW, if anyone looks at the javascript, I'd like to make it very clear that I am not the Nick Murphy whose name appears in all the contents. I'd use https.
:D :D :D :D

Sure, sure..... you bid the job with https then offshored it to China. We know how you're making your profit! :D

Pretty sad coding isn't it? I think I'll hire a web designer to fly the plane for my next flight......

I just noticed that the Dividend Miles section of the website ("My Account" etc) is now HTTPS. Did this happen recently?

If it is new, the protection is somewhat pointless since the log in process continues to be unencrypted.

The SSL except login happened about a month or six weeks ago. I personally wrote tech support numerous times on this topic, beginning immediately after the website debut, then Customer Relations, etc. I also had someone post this issue on US Aviation at that time. I did ask that the login also be SSL but they never did do that.