How to decide whether an eshop is safe or compromisedWhat does this Https - “not fully secure” warning...
Three Singles in Three Clubs
Can I switch to third-person while not in 'town' in Destiny 2?
Would it be possible to have a GMO that produces chocolate?
Fried gnocchi with spinach, bacon, cream sauce in a single pan
Do ability scores have any effect on casting Wish spell
What brought these couples together?
Is there a limit on how long the casting (speaking aloud part of the spell) of Wish can be?
Are required indicators necessary for radio buttons?
Is a butterfly one or two animals?
Did the British navy fail to take into account the ballistics correction due to Coriolis force during WW1 Falkland Islands battle?
Is there a known non-euclidean geometry where two concentric circles of different radii can intersect? (as in the novel "The Universe Between")
Why is Boris Johnson visiting only Paris & Berlin if every member of the EU needs to agree on a withdrawal deal?
What to say to a student who has failed?
Is there any practical application for performing a double Fourier transform? ...or an inverse Fourier transform on a time-domain input?
Can you help me understand Modes from the aspect of chord changes?
What’s the difference between something that approaches infinity and something that is infinite.
What professions would a medieval village with a population of 100 need?
Vacuum collapse -- why do strong metals implode but glass doesn't?
Why can't an Airbus A330 dump fuel in an emergency?
Factoring the square of this polynomial?
How to write triplets in 4/4 time without using a 3 on top of the notes all the time
How much code would a codegolf golf if a codegolf could golf code?
Do AT motherboards (286, 386, 486) really need -5V (besides redirecting it to ISA connectors)?
Why is observed clock rate < 3MHz on Arduino Uno?
How to decide whether an eshop is safe or compromised
What does this Https - “not fully secure” warning mean?How can I protect my browser from being compromised?HeartBleed - How to detect compromised websitesCan HTTPS be compromised by first contact?How safe is SSL on an untrusted computer and network?Decide to REST API SecurityHow safe is WebCryptoAPI these days?How safe is TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
So, I am having this issue where I want to buy a specific wacom product but their online store eu-store.wacom.com and us-store.wacom.com, even though it is being accessed through https, does not convince my firefox that it's safe.
The actual wacom homepage www.wacom.com shows up with a proper green lock and is verified by godaddy. Their eshop is under the same wacom.com domain but the godaddy verification is missing.
My questions are, why is this inconsistency happening, how can I verify that the store page is indeed wacom's, and ultimately, is it safe for me to purchase stuff with my card through it?
tls web-browser
asked 2 days ago
Eternal_LightEternal_Light
1661 silver badge6 bronze badges
New contributor
Eternal_Light is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
So, I am having this issue where I want to buy a specific wacom product but their online store eu-store.wacom.com and us-store.wacom.com, even though it is being accessed through https, does not convince my firefox that it's safe.
The actual wacom homepage www.wacom.com shows up with a proper green lock and is verified by godaddy. Their eshop is under the same wacom.com domain but the godaddy verification is missing.
My questions are, why is this inconsistency happening, how can I verify that the store page is indeed wacom's, and ultimately, is it safe for me to purchase stuff with my card through it?
tls web-browser
asked 2 days ago
Eternal_LightEternal_Light
1661 silver badge6 bronze badges
New contributor
Eternal_Light is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
23
Just an FYI, if a site was compromised and modified (not redirected to another malicious site), it will still show a green "secure" icon since those certificate checks only verify the certificate and URL.
– user
2 days ago
1
Similar issue to security.stackexchange.com/questions/147928/… but a different warning as its a different web browser. But fundamentally the same issue
– user1
yesterday
As an additional safeguard, many credit cards and banks now offer virtual account numbers, sometimes called “ShopSafe” or similar. You log into your account online and generate a disposable credit card number to use for a single purchase or a single recurring purchase, for a specified amount. If the number is later compromised it won’t matter.
– Wildcard
yesterday
add a comment |
So, I am having this issue where I want to buy a specific wacom product but their online store eu-store.wacom.com and us-store.wacom.com, even though it is being accessed through https, does not convince my firefox that it's safe.
The actual wacom homepage www.wacom.com shows up with a proper green lock and is verified by godaddy. Their eshop is under the same wacom.com domain but the godaddy verification is missing.
My questions are, why is this inconsistency happening, how can I verify that the store page is indeed wacom's, and ultimately, is it safe for me to purchase stuff with my card through it?
tls web-browser
asked 2 days ago
Eternal_LightEternal_Light
1661 silver badge6 bronze badges
New contributor
Eternal_Light is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
So, I am having this issue where I want to buy a specific wacom product but their online store eu-store.wacom.com and us-store.wacom.com, even though it is being accessed through https, does not convince my firefox that it's safe.
The actual wacom homepage www.wacom.com shows up with a proper green lock and is verified by godaddy. Their eshop is under the same wacom.com domain but the godaddy verification is missing.
My questions are, why is this inconsistency happening, how can I verify that the store page is indeed wacom's, and ultimately, is it safe for me to purchase stuff with my card through it?
tls web-browser
tls web-browser
asked 2 days ago
Eternal_LightEternal_Light
1661 silver badge6 bronze badges
New contributor
Eternal_Light is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Eternal_LightEternal_Light
1661 silver badge6 bronze badges
New contributor
Eternal_Light is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 days ago
Eternal_Light
asked 2 days ago
Eternal_LightEternal_Light
1661 silver badge6 bronze badges
New contributor
Eternal_Light is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Eternal_LightEternal_Light
1661 silver badge6 bronze badges
asked 2 days ago
Eternal_LightEternal_Light
1661 silver badge6 bronze badges
1661 silver badge6 bronze badges
New contributor
Eternal_Light is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Eternal_Light is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
23
Just an FYI, if a site was compromised and modified (not redirected to another malicious site), it will still show a green "secure" icon since those certificate checks only verify the certificate and URL.
– user
2 days ago
1
Similar issue to security.stackexchange.com/questions/147928/… but a different warning as its a different web browser. But fundamentally the same issue
– user1
yesterday
As an additional safeguard, many credit cards and banks now offer virtual account numbers, sometimes called “ShopSafe” or similar. You log into your account online and generate a disposable credit card number to use for a single purchase or a single recurring purchase, for a specified amount. If the number is later compromised it won’t matter.
– Wildcard
yesterday
add a comment |
23
Just an FYI, if a site was compromised and modified (not redirected to another malicious site), it will still show a green "secure" icon since those certificate checks only verify the certificate and URL.
– user
2 days ago
1
Similar issue to security.stackexchange.com/questions/147928/… but a different warning as its a different web browser. But fundamentally the same issue
– user1
yesterday
As an additional safeguard, many credit cards and banks now offer virtual account numbers, sometimes called “ShopSafe” or similar. You log into your account online and generate a disposable credit card number to use for a single purchase or a single recurring purchase, for a specified amount. If the number is later compromised it won’t matter.
– Wildcard
yesterday
23
23
Just an FYI, if a site was compromised and modified (not redirected to another malicious site), it will still show a green "secure" icon since those certificate checks only verify the certificate and URL.
– user
2 days ago
Just an FYI, if a site was compromised and modified (not redirected to another malicious site), it will still show a green "secure" icon since those certificate checks only verify the certificate and URL.
– user
2 days ago
1
1
Similar issue to security.stackexchange.com/questions/147928/… but a different warning as its a different web browser. But fundamentally the same issue
– user1
yesterday
Similar issue to security.stackexchange.com/questions/147928/… but a different warning as its a different web browser. But fundamentally the same issue
– user1
yesterday
As an additional safeguard, many credit cards and banks now offer virtual account numbers, sometimes called “ShopSafe” or similar. You log into your account online and generate a disposable credit card number to use for a single purchase or a single recurring purchase, for a specified amount. If the number is later compromised it won’t matter.
– Wildcard
yesterday
As an additional safeguard, many credit cards and banks now offer virtual account numbers, sometimes called “ShopSafe” or similar. You log into your account online and generate a disposable credit card number to use for a single purchase or a single recurring purchase, for a specified amount. If the number is later compromised it won’t matter.
– Wildcard
yesterday
add a comment |
3 Answers
3
active
oldest
votes
On eu-store.wacom.com, some images from their Amazon CDN are requested over http instead of https. This can be solved by installing HTTPS Everywhere and turning on "Encrypt All Sites Eligible":
The gray padlock means all resources are served securely. So the webstore is most likely not compromised. They are still using an outdated cipher based on CBC and SHA1, so a nation-state power might still be able to intercept or even MITM the connection.
answered 2 days ago
JenessaJenessa
6543 silver badges11 bronze badges
HTTPS Everywhere uses a whitelist approach, which is inherently flawed. I would instead recommend "Smart HTTPS" or any other addon that enforce HTTPS really everywhere (then fallback on HTTP on issues).
– A. Hersean
2 days ago
@A.Hersean I don't know about the Firefox version, but the chrome version only seems to work for url-bar urls, not image loads or fetch requests. That kind of defeats the point :(
– Jenessa
2 days ago
5
@A.Hersean HTTPS Everywhere does have a "Encrypt All Sites Eligible" mode that requires an explicit confirmation before allowing unencrypted requests, but it is off by default so it should probably be mentioned in the answer.
– AndrolGenhald
2 days ago
1
You're right Smart HTTPS does not block image loads over HTTP, but I have another extension that blocks them, so I didn't mind. I tried "Encrypt All Sites Eligible" in the drop down menu of the addon: it's a new feature I didn't know, and it appears to work as intended. I agree with @AndrolGenhald : it should be mentioned in the answer.
– A. Hersean
2 days ago
1
If this scenario occurs, all active and active mixed content will be blocked. The only passive content allowed via http will be (from developer.mozilla.org/en-US/docs/Web/Security/Mixed_content): <img>, <audio> and <video> src tags, and <object> subresources. So no stylesheets or fetch requests etc. will be allowed via http
– Jenessa
2 days ago
|
show 2 more comments
My questions are, why is this inconsistency happening
This is known as mixed-content,where the page is loaded with HTTPS,while some parts(images) are loaded via Insecure HTTP.
how can I verify that the store page is indeed wacom's
As long as your system has not been compromised then the only way is to use HTTPS everywhere and visit the correct URL or else the HTTP can be MITM and the response returned could itself be a phishing page.
NOTE:-This answer ignores all the other web/browser vulnerabilities.
is it safe for me to purchase stuff with my card through it?
Well they probably redirect you to a different website when its time to pay which might use HTTPS.Apart from that images can be tampered with in a MITM situation.The most an attacker can do is
Attackers may be able to manipulate parts of the page, for example, by
displaying misleading or inappropriate content, but they should not be
able to steal your personal data from the site.
answered 2 days ago
Vipul NairVipul Nair
2,0871 gold badge6 silver badges23 bronze badges
This answer has some problems, for example "As long as your system has not been compromised then the only way to know is to visit the correct URL.For ex you know google is at www.google.com" is not true if Google doesn't use HSTS Preloading and you're visiting for the first time
– Jenessa
2 days ago
Phishing usually have different urls. But if eu-store.wacom.com was being MITM'd (due to disfunctional https), it could be a phising site while still having a legitimate url right? So just checking the url is not enough
– Jenessa
2 days ago
@Jenessa i understood your point and edited.
– Vipul Nair
2 days ago
add a comment |
On eu-store.wacom.com, some images from their Amazon CDN are requested over http instead of https
Let me continue from that. Firefox says it's not 100% secure because it's loading unprotected content. I would say, naively... it's 95% secure
Now, it doesn't mean the site wacom.com is not legitimate, but perhaps misconfigured. If you buy today from that site, it's not likely that you are paying a scammer pretending to be Wacom, but see later.
On the contrary, unprotected content served over http can be a danger to Wacom themselves who did not configure their store correctly.
Apart from what government-level attackers can do, here are some examples of what a real attacker can do on a MitM attack over plain old http:
- Images served over http may display something else than the product you are going to buy
- Javascript (and possibly CSS) served over http can be altered and cause any possible harm, including sniffing your credit card number
Iframes served over http can be altered and cause a number of damages, but probably not sniff your CC number (correct me if I am wrong)
Of course I am speaking from a more protocol-theoretical PoV.
So...
how can I verify that the store page is indeed wacom's?
Yes, they are them. The site is not compromised, but vulnerable
is it safe for me to purchase stuff with my card through it
Probably from your home network. I would always avoid sensitive browsing over public wifis or Tor without proper encryption
answered 2 days ago
usr-local-ΕΨΗΕΛΩΝusr-local-ΕΨΗΕΛΩΝ
2,2091 gold badge9 silver badges22 bronze badges
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Eternal_Light is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215566%2fhow-to-decide-whether-an-eshop-is-safe-or-compromised%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
On eu-store.wacom.com, some images from their Amazon CDN are requested over http instead of https. This can be solved by installing HTTPS Everywhere and turning on "Encrypt All Sites Eligible":
The gray padlock means all resources are served securely. So the webstore is most likely not compromised. They are still using an outdated cipher based on CBC and SHA1, so a nation-state power might still be able to intercept or even MITM the connection.
answered 2 days ago
JenessaJenessa
6543 silver badges11 bronze badges
HTTPS Everywhere uses a whitelist approach, which is inherently flawed. I would instead recommend "Smart HTTPS" or any other addon that enforce HTTPS really everywhere (then fallback on HTTP on issues).
– A. Hersean
2 days ago
@A.Hersean I don't know about the Firefox version, but the chrome version only seems to work for url-bar urls, not image loads or fetch requests. That kind of defeats the point :(
– Jenessa
2 days ago
5
@A.Hersean HTTPS Everywhere does have a "Encrypt All Sites Eligible" mode that requires an explicit confirmation before allowing unencrypted requests, but it is off by default so it should probably be mentioned in the answer.
– AndrolGenhald
2 days ago
1
You're right Smart HTTPS does not block image loads over HTTP, but I have another extension that blocks them, so I didn't mind. I tried "Encrypt All Sites Eligible" in the drop down menu of the addon: it's a new feature I didn't know, and it appears to work as intended. I agree with @AndrolGenhald : it should be mentioned in the answer.
– A. Hersean
2 days ago
1
If this scenario occurs, all active and active mixed content will be blocked. The only passive content allowed via http will be (from developer.mozilla.org/en-US/docs/Web/Security/Mixed_content): <img>, <audio> and <video> src tags, and <object> subresources. So no stylesheets or fetch requests etc. will be allowed via http
– Jenessa
2 days ago
|
show 2 more comments
On eu-store.wacom.com, some images from their Amazon CDN are requested over http instead of https. This can be solved by installing HTTPS Everywhere and turning on "Encrypt All Sites Eligible":
The gray padlock means all resources are served securely. So the webstore is most likely not compromised. They are still using an outdated cipher based on CBC and SHA1, so a nation-state power might still be able to intercept or even MITM the connection.
answered 2 days ago
JenessaJenessa
6543 silver badges11 bronze badges
HTTPS Everywhere uses a whitelist approach, which is inherently flawed. I would instead recommend "Smart HTTPS" or any other addon that enforce HTTPS really everywhere (then fallback on HTTP on issues).
– A. Hersean
2 days ago
@A.Hersean I don't know about the Firefox version, but the chrome version only seems to work for url-bar urls, not image loads or fetch requests. That kind of defeats the point :(
– Jenessa
2 days ago
5
@A.Hersean HTTPS Everywhere does have a "Encrypt All Sites Eligible" mode that requires an explicit confirmation before allowing unencrypted requests, but it is off by default so it should probably be mentioned in the answer.
– AndrolGenhald
2 days ago
1
You're right Smart HTTPS does not block image loads over HTTP, but I have another extension that blocks them, so I didn't mind. I tried "Encrypt All Sites Eligible" in the drop down menu of the addon: it's a new feature I didn't know, and it appears to work as intended. I agree with @AndrolGenhald : it should be mentioned in the answer.
– A. Hersean
2 days ago
1
If this scenario occurs, all active and active mixed content will be blocked. The only passive content allowed via http will be (from developer.mozilla.org/en-US/docs/Web/Security/Mixed_content): <img>, <audio> and <video> src tags, and <object> subresources. So no stylesheets or fetch requests etc. will be allowed via http
– Jenessa
2 days ago
|
show 2 more comments
On eu-store.wacom.com, some images from their Amazon CDN are requested over http instead of https. This can be solved by installing HTTPS Everywhere and turning on "Encrypt All Sites Eligible":
The gray padlock means all resources are served securely. So the webstore is most likely not compromised. They are still using an outdated cipher based on CBC and SHA1, so a nation-state power might still be able to intercept or even MITM the connection.
answered 2 days ago
JenessaJenessa
6543 silver badges11 bronze badges
On eu-store.wacom.com, some images from their Amazon CDN are requested over http instead of https. This can be solved by installing HTTPS Everywhere and turning on "Encrypt All Sites Eligible":
The gray padlock means all resources are served securely. So the webstore is most likely not compromised. They are still using an outdated cipher based on CBC and SHA1, so a nation-state power might still be able to intercept or even MITM the connection.
answered 2 days ago
JenessaJenessa
6543 silver badges11 bronze badges
edited 2 days ago
answered 2 days ago
JenessaJenessa
6543 silver badges11 bronze badges
answered 2 days ago
JenessaJenessa
6543 silver badges11 bronze badges
answered 2 days ago
JenessaJenessa
6543 silver badges11 bronze badges
6543 silver badges11 bronze badges
HTTPS Everywhere uses a whitelist approach, which is inherently flawed. I would instead recommend "Smart HTTPS" or any other addon that enforce HTTPS really everywhere (then fallback on HTTP on issues).
– A. Hersean
2 days ago
@A.Hersean I don't know about the Firefox version, but the chrome version only seems to work for url-bar urls, not image loads or fetch requests. That kind of defeats the point :(
– Jenessa
2 days ago
5
@A.Hersean HTTPS Everywhere does have a "Encrypt All Sites Eligible" mode that requires an explicit confirmation before allowing unencrypted requests, but it is off by default so it should probably be mentioned in the answer.
– AndrolGenhald
2 days ago
1
You're right Smart HTTPS does not block image loads over HTTP, but I have another extension that blocks them, so I didn't mind. I tried "Encrypt All Sites Eligible" in the drop down menu of the addon: it's a new feature I didn't know, and it appears to work as intended. I agree with @AndrolGenhald : it should be mentioned in the answer.
– A. Hersean
2 days ago
1
If this scenario occurs, all active and active mixed content will be blocked. The only passive content allowed via http will be (from developer.mozilla.org/en-US/docs/Web/Security/Mixed_content): <img>, <audio> and <video> src tags, and <object> subresources. So no stylesheets or fetch requests etc. will be allowed via http
– Jenessa
2 days ago
|
show 2 more comments
HTTPS Everywhere uses a whitelist approach, which is inherently flawed. I would instead recommend "Smart HTTPS" or any other addon that enforce HTTPS really everywhere (then fallback on HTTP on issues).
– A. Hersean
2 days ago
@A.Hersean I don't know about the Firefox version, but the chrome version only seems to work for url-bar urls, not image loads or fetch requests. That kind of defeats the point :(
– Jenessa
2 days ago
5
@A.Hersean HTTPS Everywhere does have a "Encrypt All Sites Eligible" mode that requires an explicit confirmation before allowing unencrypted requests, but it is off by default so it should probably be mentioned in the answer.
– AndrolGenhald
2 days ago
1
You're right Smart HTTPS does not block image loads over HTTP, but I have another extension that blocks them, so I didn't mind. I tried "Encrypt All Sites Eligible" in the drop down menu of the addon: it's a new feature I didn't know, and it appears to work as intended. I agree with @AndrolGenhald : it should be mentioned in the answer.
– A. Hersean
2 days ago
1
If this scenario occurs, all active and active mixed content will be blocked. The only passive content allowed via http will be (from developer.mozilla.org/en-US/docs/Web/Security/Mixed_content): <img>, <audio> and <video> src tags, and <object> subresources. So no stylesheets or fetch requests etc. will be allowed via http
– Jenessa
2 days ago
HTTPS Everywhere uses a whitelist approach, which is inherently flawed. I would instead recommend "Smart HTTPS" or any other addon that enforce HTTPS really everywhere (then fallback on HTTP on issues).
– A. Hersean
2 days ago
HTTPS Everywhere uses a whitelist approach, which is inherently flawed. I would instead recommend "Smart HTTPS" or any other addon that enforce HTTPS really everywhere (then fallback on HTTP on issues).
– A. Hersean
2 days ago
@A.Hersean I don't know about the Firefox version, but the chrome version only seems to work for url-bar urls, not image loads or fetch requests. That kind of defeats the point :(
– Jenessa
2 days ago
@A.Hersean I don't know about the Firefox version, but the chrome version only seems to work for url-bar urls, not image loads or fetch requests. That kind of defeats the point :(
– Jenessa
2 days ago
5
5
@A.Hersean HTTPS Everywhere does have a "Encrypt All Sites Eligible" mode that requires an explicit confirmation before allowing unencrypted requests, but it is off by default so it should probably be mentioned in the answer.
– AndrolGenhald
2 days ago
@A.Hersean HTTPS Everywhere does have a "Encrypt All Sites Eligible" mode that requires an explicit confirmation before allowing unencrypted requests, but it is off by default so it should probably be mentioned in the answer.
– AndrolGenhald
2 days ago
1
1
You're right Smart HTTPS does not block image loads over HTTP, but I have another extension that blocks them, so I didn't mind. I tried "Encrypt All Sites Eligible" in the drop down menu of the addon: it's a new feature I didn't know, and it appears to work as intended. I agree with @AndrolGenhald : it should be mentioned in the answer.
– A. Hersean
2 days ago
You're right Smart HTTPS does not block image loads over HTTP, but I have another extension that blocks them, so I didn't mind. I tried "Encrypt All Sites Eligible" in the drop down menu of the addon: it's a new feature I didn't know, and it appears to work as intended. I agree with @AndrolGenhald : it should be mentioned in the answer.
– A. Hersean
2 days ago
1
1
If this scenario occurs, all active and active mixed content will be blocked. The only passive content allowed via http will be (from developer.mozilla.org/en-US/docs/Web/Security/Mixed_content): <img>, <audio> and <video> src tags, and <object> subresources. So no stylesheets or fetch requests etc. will be allowed via http
– Jenessa
2 days ago
If this scenario occurs, all active and active mixed content will be blocked. The only passive content allowed via http will be (from developer.mozilla.org/en-US/docs/Web/Security/Mixed_content): <img>, <audio> and <video> src tags, and <object> subresources. So no stylesheets or fetch requests etc. will be allowed via http
– Jenessa
2 days ago
|
show 2 more comments
My questions are, why is this inconsistency happening
This is known as mixed-content,where the page is loaded with HTTPS,while some parts(images) are loaded via Insecure HTTP.
how can I verify that the store page is indeed wacom's
As long as your system has not been compromised then the only way is to use HTTPS everywhere and visit the correct URL or else the HTTP can be MITM and the response returned could itself be a phishing page.
NOTE:-This answer ignores all the other web/browser vulnerabilities.
is it safe for me to purchase stuff with my card through it?
Well they probably redirect you to a different website when its time to pay which might use HTTPS.Apart from that images can be tampered with in a MITM situation.The most an attacker can do is
Attackers may be able to manipulate parts of the page, for example, by
displaying misleading or inappropriate content, but they should not be
able to steal your personal data from the site.
answered 2 days ago
Vipul NairVipul Nair
2,0871 gold badge6 silver badges23 bronze badges
This answer has some problems, for example "As long as your system has not been compromised then the only way to know is to visit the correct URL.For ex you know google is at www.google.com" is not true if Google doesn't use HSTS Preloading and you're visiting for the first time
– Jenessa
2 days ago
Phishing usually have different urls. But if eu-store.wacom.com was being MITM'd (due to disfunctional https), it could be a phising site while still having a legitimate url right? So just checking the url is not enough
– Jenessa
2 days ago
@Jenessa i understood your point and edited.
– Vipul Nair
2 days ago
add a comment |
My questions are, why is this inconsistency happening
This is known as mixed-content,where the page is loaded with HTTPS,while some parts(images) are loaded via Insecure HTTP.
how can I verify that the store page is indeed wacom's
As long as your system has not been compromised then the only way is to use HTTPS everywhere and visit the correct URL or else the HTTP can be MITM and the response returned could itself be a phishing page.
NOTE:-This answer ignores all the other web/browser vulnerabilities.
is it safe for me to purchase stuff with my card through it?
Well they probably redirect you to a different website when its time to pay which might use HTTPS.Apart from that images can be tampered with in a MITM situation.The most an attacker can do is
Attackers may be able to manipulate parts of the page, for example, by
displaying misleading or inappropriate content, but they should not be
able to steal your personal data from the site.
answered 2 days ago
Vipul NairVipul Nair
2,0871 gold badge6 silver badges23 bronze badges
This answer has some problems, for example "As long as your system has not been compromised then the only way to know is to visit the correct URL.For ex you know google is at www.google.com" is not true if Google doesn't use HSTS Preloading and you're visiting for the first time
– Jenessa
2 days ago
Phishing usually have different urls. But if eu-store.wacom.com was being MITM'd (due to disfunctional https), it could be a phising site while still having a legitimate url right? So just checking the url is not enough
– Jenessa
2 days ago
@Jenessa i understood your point and edited.
– Vipul Nair
2 days ago
add a comment |
My questions are, why is this inconsistency happening
This is known as mixed-content,where the page is loaded with HTTPS,while some parts(images) are loaded via Insecure HTTP.
how can I verify that the store page is indeed wacom's
As long as your system has not been compromised then the only way is to use HTTPS everywhere and visit the correct URL or else the HTTP can be MITM and the response returned could itself be a phishing page.
NOTE:-This answer ignores all the other web/browser vulnerabilities.
is it safe for me to purchase stuff with my card through it?
Well they probably redirect you to a different website when its time to pay which might use HTTPS.Apart from that images can be tampered with in a MITM situation.The most an attacker can do is
Attackers may be able to manipulate parts of the page, for example, by
displaying misleading or inappropriate content, but they should not be
able to steal your personal data from the site.
answered 2 days ago
Vipul NairVipul Nair
2,0871 gold badge6 silver badges23 bronze badges
My questions are, why is this inconsistency happening
This is known as mixed-content,where the page is loaded with HTTPS,while some parts(images) are loaded via Insecure HTTP.
how can I verify that the store page is indeed wacom's
As long as your system has not been compromised then the only way is to use HTTPS everywhere and visit the correct URL or else the HTTP can be MITM and the response returned could itself be a phishing page.
NOTE:-This answer ignores all the other web/browser vulnerabilities.
is it safe for me to purchase stuff with my card through it?
Well they probably redirect you to a different website when its time to pay which might use HTTPS.Apart from that images can be tampered with in a MITM situation.The most an attacker can do is
Attackers may be able to manipulate parts of the page, for example, by
displaying misleading or inappropriate content, but they should not be
able to steal your personal data from the site.
answered 2 days ago
Vipul NairVipul Nair
2,0871 gold badge6 silver badges23 bronze badges
edited 2 days ago
answered 2 days ago
Vipul NairVipul Nair
2,0871 gold badge6 silver badges23 bronze badges
answered 2 days ago
Vipul NairVipul Nair
2,0871 gold badge6 silver badges23 bronze badges
answered 2 days ago
Vipul NairVipul Nair
2,0871 gold badge6 silver badges23 bronze badges
2,0871 gold badge6 silver badges23 bronze badges
This answer has some problems, for example "As long as your system has not been compromised then the only way to know is to visit the correct URL.For ex you know google is at www.google.com" is not true if Google doesn't use HSTS Preloading and you're visiting for the first time
– Jenessa
2 days ago
Phishing usually have different urls. But if eu-store.wacom.com was being MITM'd (due to disfunctional https), it could be a phising site while still having a legitimate url right? So just checking the url is not enough
– Jenessa
2 days ago
@Jenessa i understood your point and edited.
– Vipul Nair
2 days ago
add a comment |
This answer has some problems, for example "As long as your system has not been compromised then the only way to know is to visit the correct URL.For ex you know google is at www.google.com" is not true if Google doesn't use HSTS Preloading and you're visiting for the first time
– Jenessa
2 days ago
Phishing usually have different urls. But if eu-store.wacom.com was being MITM'd (due to disfunctional https), it could be a phising site while still having a legitimate url right? So just checking the url is not enough
– Jenessa
2 days ago
@Jenessa i understood your point and edited.
– Vipul Nair
2 days ago
This answer has some problems, for example "As long as your system has not been compromised then the only way to know is to visit the correct URL.For ex you know google is at www.google.com" is not true if Google doesn't use HSTS Preloading and you're visiting for the first time
– Jenessa
2 days ago
This answer has some problems, for example "As long as your system has not been compromised then the only way to know is to visit the correct URL.For ex you know google is at www.google.com" is not true if Google doesn't use HSTS Preloading and you're visiting for the first time
– Jenessa
2 days ago
Phishing usually have different urls. But if eu-store.wacom.com was being MITM'd (due to disfunctional https), it could be a phising site while still having a legitimate url right? So just checking the url is not enough
– Jenessa
2 days ago
Phishing usually have different urls. But if eu-store.wacom.com was being MITM'd (due to disfunctional https), it could be a phising site while still having a legitimate url right? So just checking the url is not enough
– Jenessa
2 days ago
@Jenessa i understood your point and edited.
– Vipul Nair
2 days ago
@Jenessa i understood your point and edited.
– Vipul Nair
2 days ago
add a comment |
On eu-store.wacom.com, some images from their Amazon CDN are requested over http instead of https
Let me continue from that. Firefox says it's not 100% secure because it's loading unprotected content. I would say, naively... it's 95% secure
Now, it doesn't mean the site wacom.com is not legitimate, but perhaps misconfigured. If you buy today from that site, it's not likely that you are paying a scammer pretending to be Wacom, but see later.
On the contrary, unprotected content served over http can be a danger to Wacom themselves who did not configure their store correctly.
Apart from what government-level attackers can do, here are some examples of what a real attacker can do on a MitM attack over plain old http:
- Images served over http may display something else than the product you are going to buy
- Javascript (and possibly CSS) served over http can be altered and cause any possible harm, including sniffing your credit card number
Iframes served over http can be altered and cause a number of damages, but probably not sniff your CC number (correct me if I am wrong)
Of course I am speaking from a more protocol-theoretical PoV.
So...
how can I verify that the store page is indeed wacom's?
Yes, they are them. The site is not compromised, but vulnerable
is it safe for me to purchase stuff with my card through it
Probably from your home network. I would always avoid sensitive browsing over public wifis or Tor without proper encryption
answered 2 days ago
usr-local-ΕΨΗΕΛΩΝusr-local-ΕΨΗΕΛΩΝ
2,2091 gold badge9 silver badges22 bronze badges
add a comment |
On eu-store.wacom.com, some images from their Amazon CDN are requested over http instead of https
Let me continue from that. Firefox says it's not 100% secure because it's loading unprotected content. I would say, naively... it's 95% secure
Now, it doesn't mean the site wacom.com is not legitimate, but perhaps misconfigured. If you buy today from that site, it's not likely that you are paying a scammer pretending to be Wacom, but see later.
On the contrary, unprotected content served over http can be a danger to Wacom themselves who did not configure their store correctly.
Apart from what government-level attackers can do, here are some examples of what a real attacker can do on a MitM attack over plain old http:
- Images served over http may display something else than the product you are going to buy
- Javascript (and possibly CSS) served over http can be altered and cause any possible harm, including sniffing your credit card number
Iframes served over http can be altered and cause a number of damages, but probably not sniff your CC number (correct me if I am wrong)
Of course I am speaking from a more protocol-theoretical PoV.
So...
how can I verify that the store page is indeed wacom's?
Yes, they are them. The site is not compromised, but vulnerable
is it safe for me to purchase stuff with my card through it
Probably from your home network. I would always avoid sensitive browsing over public wifis or Tor without proper encryption
answered 2 days ago
usr-local-ΕΨΗΕΛΩΝusr-local-ΕΨΗΕΛΩΝ
2,2091 gold badge9 silver badges22 bronze badges
add a comment |
On eu-store.wacom.com, some images from their Amazon CDN are requested over http instead of https
Let me continue from that. Firefox says it's not 100% secure because it's loading unprotected content. I would say, naively... it's 95% secure
Now, it doesn't mean the site wacom.com is not legitimate, but perhaps misconfigured. If you buy today from that site, it's not likely that you are paying a scammer pretending to be Wacom, but see later.
On the contrary, unprotected content served over http can be a danger to Wacom themselves who did not configure their store correctly.
Apart from what government-level attackers can do, here are some examples of what a real attacker can do on a MitM attack over plain old http:
- Images served over http may display something else than the product you are going to buy
- Javascript (and possibly CSS) served over http can be altered and cause any possible harm, including sniffing your credit card number
Iframes served over http can be altered and cause a number of damages, but probably not sniff your CC number (correct me if I am wrong)
Of course I am speaking from a more protocol-theoretical PoV.
So...
how can I verify that the store page is indeed wacom's?
Yes, they are them. The site is not compromised, but vulnerable
is it safe for me to purchase stuff with my card through it
Probably from your home network. I would always avoid sensitive browsing over public wifis or Tor without proper encryption
answered 2 days ago
usr-local-ΕΨΗΕΛΩΝusr-local-ΕΨΗΕΛΩΝ
2,2091 gold badge9 silver badges22 bronze badges
On eu-store.wacom.com, some images from their Amazon CDN are requested over http instead of https
Let me continue from that. Firefox says it's not 100% secure because it's loading unprotected content. I would say, naively... it's 95% secure
Now, it doesn't mean the site wacom.com is not legitimate, but perhaps misconfigured. If you buy today from that site, it's not likely that you are paying a scammer pretending to be Wacom, but see later.
On the contrary, unprotected content served over http can be a danger to Wacom themselves who did not configure their store correctly.
Apart from what government-level attackers can do, here are some examples of what a real attacker can do on a MitM attack over plain old http:
- Images served over http may display something else than the product you are going to buy
- Javascript (and possibly CSS) served over http can be altered and cause any possible harm, including sniffing your credit card number
Iframes served over http can be altered and cause a number of damages, but probably not sniff your CC number (correct me if I am wrong)
Of course I am speaking from a more protocol-theoretical PoV.
So...
how can I verify that the store page is indeed wacom's?
Yes, they are them. The site is not compromised, but vulnerable
is it safe for me to purchase stuff with my card through it
Probably from your home network. I would always avoid sensitive browsing over public wifis or Tor without proper encryption
answered 2 days ago
usr-local-ΕΨΗΕΛΩΝusr-local-ΕΨΗΕΛΩΝ
2,2091 gold badge9 silver badges22 bronze badges
edited yesterday
answered 2 days ago
usr-local-ΕΨΗΕΛΩΝusr-local-ΕΨΗΕΛΩΝ
2,2091 gold badge9 silver badges22 bronze badges
answered 2 days ago
usr-local-ΕΨΗΕΛΩΝusr-local-ΕΨΗΕΛΩΝ
2,2091 gold badge9 silver badges22 bronze badges
answered 2 days ago
usr-local-ΕΨΗΕΛΩΝusr-local-ΕΨΗΕΛΩΝ
2,2091 gold badge9 silver badges22 bronze badges
2,2091 gold badge9 silver badges22 bronze badges
add a comment |
add a comment |
Eternal_Light is a new contributor. Be nice, and check out our Code of Conduct.
Eternal_Light is a new contributor. Be nice, and check out our Code of Conduct.
Eternal_Light is a new contributor. Be nice, and check out our Code of Conduct.
Eternal_Light is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f215566%2fhow-to-decide-whether-an-eshop-is-safe-or-compromised%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
23
Just an FYI, if a site was compromised and modified (not redirected to another malicious site), it will still show a green "secure" icon since those certificate checks only verify the certificate and URL.
– user
2 days ago
1
Similar issue to security.stackexchange.com/questions/147928/… but a different warning as its a different web browser. But fundamentally the same issue
– user1
yesterday
As an additional safeguard, many credit cards and banks now offer virtual account numbers, sometimes called “ShopSafe” or similar. You log into your account online and generate a disposable credit card number to use for a single purchase or a single recurring purchase, for a specified amount. If the number is later compromised it won’t matter.
– Wildcard
yesterday