continental.com is unsecure

 
Old Feb 22, 12, 8:32 pm
  #1  
Original Poster
 
Join Date: Aug 2006
Programs: "all" airlines and hotels
Posts: 91
Thumbs down continental.com is unsecure

As a long time United (1k), thought I would update my profile on Continental.

Imagine my shock, when I found that on continental.com - as soon as I went to any aspect of "my profile" - you get dumped out of https into http!

This was in Chrome on a Mac.

Safari on a Mac - kept me in https!

I am running ghostery to minimize my giving my information away.

Anyone else seen this?

Nice way for Continental to give away your birth date and other information that should be kept confidential.
rsercely is offline  
Old Feb 22, 12, 8:46 pm
  #2  
 
Join Date: Sep 2011
Location: SFO
Programs: UA Plat, SPG Gold, Marriott Gold
Posts: 48
Used IE and it kept me https
SFO86 is offline  
Old Feb 22, 12, 9:03 pm
  #3  
 
Join Date: Jul 2010
Location: USA
Programs: UA Platinum, Marriott Silver
Posts: 124
Thanks for the heads up. I already signed up for a one pass account and linked to my ual account, but I will be more careful. Will check out from work tomorrow - mozilla I think...
HSmartt is offline  
Old Feb 22, 12, 9:14 pm
  #4  
FlyerTalk Evangelist
 
Join Date: Nov 2009
Location: Lawrence, KS | MCI
Programs: UA*G, Hyatt Globalist, Marriott Plat., NEXUS, Amex, TSA Disparager Unobtanium
Posts: 20,193
CO.sux kept me in https when I logged in with Firefox (my primary browser).
FriendlySkies is offline  
Old Feb 22, 12, 9:16 pm
  #5  
 
Join Date: Jul 2007
Location: San Francisco/Sydney
Programs: UA 1K/MM, TK Elite, DL Gold, Hilton Diamond, Marriott Platinum, IHG Gold, Hertz PC, Avis First
Posts: 6,911
https all the way for me with FireFox 10.
docbert is offline  
Old Feb 22, 12, 9:22 pm
  #6  
 
Join Date: Jul 2005
Location: HNL
Programs: UA platinum, HA platinum, Hyatt, Hilton, Marriott, Priority Club, SPG
Posts: 347
Originally Posted by rsercely View Post
Imagine my shock, when I found that on continental.com - as soon as I went to any aspect of "my profile" - you get dumped out of https into http!

This was in Chrome on a Mac.

Safari on a Mac - kept me in https!

I am running ghostery to minimize my giving my information away.

Anyone else seen this?
Is that why "https" is in red with an "x" over it in Chrome? I'm on a Mac also. What is ghostery? I've been slowly transitioning to Chrome but this is the third instance where Chrome either doesn't work or does something strange.
stravels is offline  
Old Feb 22, 12, 9:28 pm
  #7  
 
Join Date: Nov 2009
Location: Between EWR & PHL
Programs: UA MileagePlus dirt (former hard-way Silver); AS Mileage Plan MVP; Hilton Honors Silver
Posts: 1,583
Originally Posted by stravels View Post
Is that why "https" is in red with an "x" over it in Chrome? I'm on a Mac also. What is ghostery? I've been slowly transitioning to Chrome but this is the third instance where Chrome either doesn't work or does something strange.
The red cross through the 'https:' in Chrome indicates that the data on the page is secure, but there are insecure ELEMENTS of the page (usually images). There's nothing wrong with the browser or the page.
Critic is offline  
Old Feb 22, 12, 9:33 pm
  #8  
 
Join Date: Oct 2002
Location: MRY
Programs: UA Platinum 2MM(BIS)
Posts: 181
If you believe that you have found personal information on an insecure web page, you can confirm/disprove this by tracing your own ethernet data packets using Wireshark. If you can see your details unenciphered in the trace data then please bleat like mad so that it will be fixed!!!

http://www.wireshark.org/
if1km is offline  
Old Feb 22, 12, 9:35 pm
  #9  
FlyerTalk Evangelist
 
Join Date: Aug 2002
Location: Bay Area, CA
Programs: UA Plat 2MM; AS MVP Gold 75K
Posts: 34,940
Originally Posted by Critic View Post
The red cross through the 'https:' in Chrome indicates that the data on the page is secure, but there are insecure ELEMENTS of the page (usually images). There's nothing wrong with the browser or the page.

Even Firefox give a similar such warning when doing a flight search at co.sux.

co.sux has been like this for years.
channa is online now  
Old Feb 22, 12, 9:38 pm
  #10  
 
Join Date: May 2011
Posts: 5,777
Originally Posted by Critic View Post
The red cross through the 'https:' in Chrome indicates that the data on the page is secure, but there are insecure ELEMENTS of the page (usually images). There's nothing wrong with the browser or the page.
+1 ... unfortunately it shows their attention to detail in their code.

Probably images and it should be an easy fix (relative vs. absolute urls)
edcho is offline  
Old Feb 22, 12, 9:38 pm
  #11  
In Memoriam
 
Join Date: Feb 2000
Location: Easton, CT, USA
Programs: ua prem exec, Former hilton diamond
Posts: 31,801
If you click on the Red X you will see the following, showing that the page is encrypted, but has other items on it that are not.



Chrome lets you know when there is any item on the page that is not served from the secure server, which are probably image files.

Most other browsers do not let you know that.

Nothing is being given away
cordelli is offline  
Old Feb 22, 12, 11:03 pm
  #12  
FlyerTalk Evangelist
 
Join Date: May 2007
Location: Houston
Programs: UA Gold, Marriott Gold
Posts: 10,983
Originally Posted by Critic View Post
The red cross through the 'https:' in Chrome indicates that the data on the page is secure, but there are insecure ELEMENTS of the page (usually images). There's nothing wrong with the browser or the page.
This means your session is not secure since the requests for the non-https content could be including your information.

to sCO IT. All elements should be secure when an https request is made
mduell is offline  
Old Feb 23, 12, 7:26 am
  #13  
FlyerTalk Evangelist
 
Join Date: Aug 2002
Location: Bay Area, CA
Programs: UA Plat 2MM; AS MVP Gold 75K
Posts: 34,940
Firefox Error

Login from the front page, then go do a flight search on the left side, and I always get:

Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

Are you usure you want to continue sending this information?
channa is online now  
Old Feb 23, 12, 7:48 am
  #14  
 
Join Date: Sep 2001
Location: Austin, tx, USA
Programs: UA 1K, Hertz 5-star, Marriott Gold
Posts: 256
Originally Posted by mduell View Post
This means your session is not secure since the requests for the non-https content could be including your information.

to sCO IT. All elements should be secure when an https request is made
Yes, a simple GET contains a lot of information
octopic is offline  
Old Feb 23, 12, 8:10 am
  #15  
 
Join Date: Dec 2010
Location: ORD
Programs: UA 1K/MM, MC Life Plat, HH Gold
Posts: 722
Even in IE and Safari there are periodic warnings about mixed insecure info on secure pages. Most likely images, but this is sloppy programing that could indeed open the door to an attack that would capture supposedly secure info. I guess this will be the new standard for the UA web site as of 3/3.
joel67 is offline  

Thread Tools
Search this Thread