On 20 March 2008, I wrote about CommSec’s use of non-SSL frames pages for its online banking. Although the CommSec homepage is delivered using SSL with an Extended Validation Certificate, once you log in you’re presented with a non-SSL frames page:
gHacks posted recently that you can use NoScript, an add-on for Firefox, to force the browser to use HTTPS for specified domains. You can use it to force CommSec to use HTTPS too.
To do this, download NoScript from here. Open the options for NoScript and go to the HTTPS sub-tab on the Advanced tab. Under ‘Force the following sites to use secure (HTTPS) connections’, enter ‘*.comsec.com.au’:
Now, the CommSec website should always use HTTPS:
You can use this same method to force other websites to use HTTPS too, like Facebook or Twitter.
Remember, though, that NoScript’s primary function is to block scripts and other active content found on most websites. This is useful for security conscious users, but it’ll break most websites.
If you want to force certain websites to use HTTPS but don’t want to block scripts or other active content, you have to disable that blocking in the NoScript options.
Update: It turns out that forcing HTTPS connections for *.comsec.com.au breaks some functionality. Forcing HTTPS connections for only www.comsec.com.au achieves the same goal, but without breaking anything (that I know of):
The reason why *.comsec.com.au doesn’t work is that CommSec doesn’t support HTTPS connections to prices.comsec.com.au. So when you try to get a stock quote, your browser will attempt an HTTPS connection, which will fail.
Now, quotes should work, but they will be delivered over HTTP. And your browser will give you a warning to that effect.
{ 2 comments… read them below or add one }
if you right click on any secure page while logged into commsec and go to properties you will see that even though the address bar does not show https, the actual content on all secure pages is https. So yeah in other words dont waste ur time the commsec website is secure..
@tradedogg: You’re right that, when there is no attacker, the content frame loads a page over SSL and that that particular page is encrypted and secure. The problem is that the page that contains that frame is itself delivered without SSL. That means that that parent page can be changed by a man-in-the-middle.
And if a man-in-the-middle can change the parent page, he could change it so that the page in content frame, which would normally be delivered over SSL, would be delivered without SSL. If you entered any information into the content frame then, it could be read by an attacker.
So long as you check that the page in the content frame is being delivered over SSL and from comsec.com.au each and every time (by right-clicking on the page and selecting Properties, as you suggested), you would be safe. But you would have to do this for every single page in the content frame before you enter any data into it. No one’s going to do that regularly. Do you?
If you don’t do that, then you’ll be secure only so long as there is no man-in-the-middle attacker.
See here for further details.
{ 1 trackback }