Comments on: Force CommSec to Use HTTPS with NoScript

By: Chris

Chris — Wed, 04 Nov 2009 09:17:46 +0000

@tradedogg: You’re right that, when there is no attacker, the content frame loads a page over SSL and that that particular page is encrypted and secure. The problem is that the page that contains that frame is itself delivered without SSL. That means that that parent page can be changed by a man-in-the-middle.

And if a man-in-the-middle can change the parent page, he could change it so that the page in content frame, which would normally be delivered over SSL, would be delivered without SSL. If you entered any information into the content frame then, it could be read by an attacker.

So long as you check that the page in the content frame is being delivered over SSL and from comsec.com.au each and every time (by right-clicking on the page and selecting Properties, as you suggested), you would be safe. But you would have to do this for every single page in the content frame before you enter any data into it. No one’s going to do that regularly. Do you?

If you don’t do that, then you’ll be secure only so long as there is no man-in-the-middle attacker.

See here for further details.

By: tradedogg

tradedogg — Wed, 04 Nov 2009 06:04:26 +0000

if you right click on any secure page while logged into commsec and go to properties you will see that even though the address bar does not show https, the actual content on all secure pages is https. So yeah in other words dont waste ur time the commsec website is secure..

By: Online broker CommSec criticised for weak passwords, lack of SSL | Zero Day | ZDNet.com

Wed, 29 Apr 2009 15:43:11 +0000

[...] newly introduced password best practices come a month after another security design flaw was exposed at the online broker – CommSec’s use of non-SSL frames pages potentially resulting in [...]