Https zone partially encrypted: security issue
Unseen
Posts: 648
Since yesterday I see that the https zone is partially encrypted because when I log in I see that the padlock does not display in Firefox 17.01. I have checked the images but all the links start with https.
I have tried with IE 9 (with latest update) and when I enter the https zone I am told that only the encrypted data are displayed. There is an option allowing to display all the data (encrypted and non encrypted) but when I select it I see no difference.
I therefore assume that the security issue is not related to the images but to something else.
It would be very nice if one of the administrators could forward the information to the website technicians...
I have submitted no ticket since it seems that it is impossible to contact the website support via the help desk...
Thank you very much.
Daz 3D is part of 
Connect
DAZ Productions, Inc.
7533 S Center View Ct #4664
West Jordan, UT 84084
Licensing Agreement | Terms of Service | Privacy Policy | EULA
© 2024 Daz Productions Inc. All Rights Reserved.
Comments
I noticed this too yesterday (Firefox 15.0.1) when I tried to log in to PM a client.
I almost didn't log in at all, but I really needed to update my client, so against my better judgement I submitted my log-in info on this unsecured platform.
I thought it was just me, or a glitch, so I refreshed the page close to twenty times, tried going to log-in page from different areas of the site, hand typed in the address, and even rebooted Firefox. All to no avail.
Firefox told me that the page was unsecured, and data transferred (log in identity and password) could be intercepted in transit.
I felt very uneasy about logging in (and again tonight), but thought I was just being paranoid. But, now since you confirmed this, I am fully feeling paranoid.
Guess it's time to change my info.
I second the request for DAZ guru's to address this matter. Yeah, it's not my bank log-in, but it could still lead to issues.
was the standard daz site ever in htttps? I think not, just if you check out then it is https.
Here is a screenshot of the checkout zone: the padlock is not visible...
The connection is not completely encrypted...
But as no payment information is held on site, there should be no inherent problem.
http://www.daz3d.com/forums/discussion/2639_4/
There is a problem because sensitive data are sent when CC data are submitted and if the server is not secure...
As someone who has worked with payments online with a company who also didn't hold credit card numbers we were required to also pass the test it talks about in your reference chohole however we were also required to have a SSL (Secure Sockets Layer (SSL) is a protocol designed to enable applications to transmit information back and forth securely.) on the server that passed the information to our credit card servicing company. As the passage from our server to theirs had to be secure and have this validation. Now admittedly I am in a different state than DAZ. SSL's are not overly expensive but they are pain in the butt to install on the managing server. True PCI compliance from what I understand means the server that passes this information has to have an SSL
That being said there is a reason I use a card with just a little money on it when i shop anywhere online I am just paranoid that way.
I have reported the issue to the store and I have asked that they forward the issue to the right people.
If you check now you should see that the issue has been sorted out.
I see that it is fixed but it must not be thanks to you since here is what you replied:
But as no payment information is held on site, there should be no inherent problem.
I am only a Moderator, I can't solve any problems of any sort, but can pass them on when highlighted.. You filed a support ticket as well, which is more information for them. We were told, as in the thread I linked to, that no information was held on site.
Yes but here is what you have replied:
But as no payment information is held on site, there should be no inherent problem.
Therefore...
Anyway, holding informations on a server is one thing and sending CC data on a partially encrypted server is different. As a forum administrator and customer it is something that you should know.
Agreed, and now I do know, I obviously was only partially informed, or something had changed temporarily, which is now fixed.
But no credit card data is transferred when you purchase from the store, if you have your card details saved with DAZ 3D, which was why I said what I did.
I'm glad, and relieved to see it has been rectified...
Thank you DAZ for your prompt attention.
cosmo71:
Yes, it has always been encrypted, and showing both the encryption padlock and the https header.
Being very paranoid after three (that's THREE) times a victim of identity theft (including credit card), I make sure that padlock and https header is there for any secure log-in I use.
I know it wasn't Firefox, because Yahoo mail log-in retained it's encryption integrity.
choloe:
I respectfully disagree with your assessment.
Within the past two weeks I had read a forum thread here regarding one of our fellow patrons who had his deleted, supposedly non-existent, non-stored credit card info auto-charged for a long since canceled Platinum Club membership (I am fuzzy on the details, but that was the jist of it).
Barring that concern alone, what of our Gift Card/Store Credits stored under our accounts?
That's what really concerns me. That someone could intercept my log-in details, log in as me, and use my credit to make purchases. Then, when I was ready to make a purchase I would find out the hard way from DAZ that I have already "used up" all my credit.
These are just "what if's", of course, but it's better to be safe than sorry...
That's not quite true. One piece of data relating to the credit card is transferred with each purchase: the security code.