Author Topic: Booking flight on http website  (Read 1186 times)

Booking flight on http website
« on: October 16, 2018, 10:52:49 pm »
I was helping someone  to buy a fight ticket from an airline but didn't notice the airline's website did not have a secure encrypted connection, ie http instead of https.

I'm using the "HTTPS Everywhere" add-on on my browser and if I set it to block insecure websites and then try to open the airline's website using https, I get "502 Bad Gateway".

Information sent include name, date of birth, passport no, credit card details inc 3 digits on back, email, phone no.

How bad is this? What are the chances of all the info ending up where it shouldn't?

Re: Booking flight on http website
« Reply #1 on: October 16, 2018, 11:21:20 pm »
No website that processes credit card details is allowed to be unencrypted (PCI-DSS rules), so if it is you should be reporting it.

It's possible it was an HTTPS page embedded in an HTTP frame. Not ideal, but should mean your details aren't sent over the wire unencrypted.

I wouldn't read too much into the home page not being available in HTTPS. That's not unusual.

tonycollinet

  • No Longer a western province of Númenor
Re: Booking flight on http website
« Reply #2 on: October 17, 2018, 06:34:40 am »
What is the site?

Re: Booking flight on http website
« Reply #3 on: October 17, 2018, 06:48:05 am »
My first concern would be that you're not on the airline's genuine site, you're on a fake.

Re: Booking flight on http website
« Reply #4 on: October 18, 2018, 01:13:13 pm »
No website that processes credit card details is allowed to be unencrypted (PCI-DSS rules), so if it is you should be reporting it.

It's possible it was an HTTPS page embedded in an HTTP frame. Not ideal, but should mean your details aren't sent over the wire unencrypted.

I wouldn't read too much into the home page not being available in HTTPS. That's not unusual.

I would.
Any personal information (not just credit card details) transmitted too that website should be HTTPs (TLS) encrypted. If it isn't, that should be considered a breach of GDPR and Data Protection Act (2018).

Most With web browser increasingly shwowing warnings upon visiting or filling in forms on HTTP sites, if this website is genuine than this company has not got it's shit together and cannot be trusted with personal data.
A Few Apples Short of a Strudel

Woofage

  • Ain't no hooves on my bike.
Re: Booking flight on http website
« Reply #5 on: October 18, 2018, 01:33:32 pm »
It's bad practice but probably not anything to worry about*, because what happens next is that all the information you've entered into the booking form is sent back to you by e-mail  ::-).

* except CC details, obv.
Pen Pusher

Re: Booking flight on http website
« Reply #6 on: October 18, 2018, 01:37:14 pm »
It's bad practice but probably not anything to worry about*, because what happens next is that all the information you've entered into the booking form is sent back to you by e-mail  ::-).

* except CC details, obv.

Which again would be in breach if it includes personal data. Hence many organisations will feature a link allowing you to log-in and view the booking confirmation, or encourage you to download an app so that they can collect event more personal data legally and sell it on.
A Few Apples Short of a Strudel

Woofage

  • Ain't no hooves on my bike.
Re: Booking flight on http website
« Reply #7 on: October 18, 2018, 01:54:36 pm »
How can sending a customer's own details back to them be a breach of GDPR?
Pen Pusher

Kim

  • 2nd in the world
Re: Booking flight on http website
« Reply #8 on: October 18, 2018, 02:28:42 pm »
How can sending a customer's own details back to them be a breach of GDPR?

I suppose that depends on whether you can guarantee that TLS will be used for the SMTP session.  It seems reasonable to assume that security of the destination email server is the customer's problem, though some organisations (typically the ones who are quite happy to transmit the same data in the clear on an analogue telephone call) eschew email because they feel responsible for that too.

To ride the Windcheetah, first, you must embrace the cantilever...

vorsprung

  • Opposites Attract
    • Audaxing
Re: Booking flight on http website
« Reply #9 on: October 18, 2018, 02:52:09 pm »
How can sending a customer's own details back to them be a breach of GDPR?

Transmitting unencrypted email over the public email system introduces a risk that the email will be snooped or intercepted

If the website isn't PCI compliant then I'd be dubious about the rest of their operations.  If they can't even do this then what else are they not doing?
Audaxing Blog follow @vorsprungbike on

Re: Booking flight on http website
« Reply #10 on: October 18, 2018, 03:20:07 pm »
The trouble with email and TLS is that is is opportunistic, rather than mandated.

And a good number of mail servers won't even check the validity of a certificate during a TLS handshake.

With personal data and email, it's best not to. Or at least, if you have, use 7-zip to create a password protected (encrypted) zip file and share the password with the recipient using other means. Or take a look at using PGP encryption ....
A Few Apples Short of a Strudel

Kim

  • 2nd in the world
Re: Booking flight on http website
« Reply #11 on: October 18, 2018, 04:28:34 pm »
Yes, end-to-end encryption with PGP is the solution, but Microsoft[1] has zero enthusiasm for it, so it never really caught on.  It's a bit more useful for signing messages, as the signature can safely be ignored until such a time as you need to prove authenticity:

Ob-xkcd:



[1] Other Evil Empires are available, but they'd generally rather you used their products instead of email.
To ride the Windcheetah, first, you must embrace the cantilever...

Woofage

  • Ain't no hooves on my bike.
Re: Booking flight on http website
« Reply #12 on: October 18, 2018, 04:38:27 pm »
How can sending a customer's own details back to them be a breach of GDPR?

Transmitting unencrypted email over the public email system introduces a risk that the email will be snooped or intercepted

That's my point. You can fill in a web form a feel all safe & sound but then all the info (except CC details) is fired back in an unsecure e-mail. This is still standard practice for e-commerce as it's what customers expect.

If the website isn't PCI compliant then I'd be dubious about the rest of their operations.  If they can't even do this then what else are they not doing?

I doubt they're taking CC details on http but the whole of the site should really be on https, if only to provide the standard false sense of security.
Pen Pusher

ian

  • fatuously disingenuous
    • The Suburban Survival Guide
Re: Booking flight on http website
« Reply #13 on: October 18, 2018, 07:14:30 pm »
I have zero enthusiasm for encrypted email too (unless it's seamlessly embedded). It's just one more thing to go wrong and annoy me. Honestly, if you want a bazillion address details, you don't need to snoop emails, just pay a spotty Russian to hack something or buy them on a zip drive from a bored, underpaid offshore 'customer care' centre.

I also want confirmation emails, and I don't care if they have my details in them. Life is too short.
!nataS pihsroW

Re: Booking flight on http website
« Reply #14 on: October 18, 2018, 08:54:36 pm »
Ugh. Really?

If you have a domain, and an internet facing web server, there's no reason not to have a cert installed, and mandate HTTPS.

The apps I'm writing now all mandate SSL. It's really annoying to the sys ops.

Feanor

  • It's mostly downhill from here.
Re: Booking flight on http website
« Reply #15 on: October 18, 2018, 09:16:32 pm »
Ugh. Really?

If you have a domain, and an internet facing web server, there's no reason not to have a cert installed, and mandate HTTPS.

The apps I'm writing now all mandate SSL. It's really annoying to the sys ops.

The main reason is that you have to pay for a Cert that will be accepted by default by most browsers.
I can self-sign certs, but that will not 'just work' with most browsers, since I've not paid the DaneGeld to be one of the Chosen Few root CAs who the OS/browser accepts.

Basically, the OS and Browser are making the trust decisions for most users.
And the trust they give is proportional to the money the root CA is prepared to pay to be on the built-in root CA whitelist.

Yes, I do know about Let's Encrypt.

But at the end of the day, HTTPS requires you to trust the cert offered, and that's not a user choice in 99.999% of cases. The trust is built-in and managed by the OS vendor for most people.
Is my self-signed cert any less trustworthy?
I don't think so, but it's made difficult for end-users to understand that.

Re: Booking flight on http website
« Reply #16 on: October 19, 2018, 12:57:49 am »
Which major browsers don't trust Let's Encrypt?
https://letsencrypt.org/docs/certificate-compatibility/

Quote
Is my self-signed cert any less trustworthy?
I don't think so, but it's made difficult for end-users to understand that.

There's nothing stopping a MITM creating their own self-signed certificate for your domain, making encryption basically pointless.

ElyDave

  • Royal and Ancient Polar Bear Society member 263583
Re: Booking flight on http website
« Reply #17 on: October 19, 2018, 07:28:17 am »
I'm sure as a (realtively) modern man, I should understand that, but I feel a bit like that cartoon of Charlie Brown's mum.

Can someone translate into real English for me?
“Procrastination is the thief of time, collar him.” –Charles Dickens

Re: Booking flight on http website
« Reply #18 on: October 19, 2018, 07:51:54 am »
Man In The Middle?
We are making a New World (Paul Nash, 1918)

Re: Booking flight on http website
« Reply #19 on: October 19, 2018, 08:55:53 am »
HTTPS verifies the identity of the website you’re connecting to using a certificate. The website owner gets that certificate from a certificate authority that verifies in some way that the person requesting it actually owns the website. Every web browser comes with a built-in list of trusted certificate authorities.

If it didn’t do this then any computer between you and the website you want ( a “man in the middle”) could intercept your connection, pretend to be the website you want and you’d have a “secure” connection to the bad guy.

A self-signed certificate is one generated by yourself which says “I swear I’m yacf.co.uk”. Browsers reject them by default because anyone can create a self-signed certificate for any website, which completely undermines the point.

Let’s Encrypt is a  certificate authority that doesn’t charge website owners anything to issue a certificate. It took a while for mainstream browsers to start accepting them but that changes a couple of years back.

Re: Booking flight on http website
« Reply #20 on: October 19, 2018, 09:39:07 am »
A self-signed certificate is one generated by yourself which says “I swear I’m yacf.co.uk”. Browsers reject them by default because anyone can create a self-signed certificate for any website, which completely undermines the point.

Only for use on shopping sites or anywhere else you have random members of the public needing a secure connection to a server.

Asymmetric certificate based encryption where only the server has a certificate does two things as you say:

1)  Provides some level of confidence (pretty good actually) you have connected to who you think you have
2)  Provides encryption keys for the traffic between you and the server

If its not random members of the public connecting then self signed certificates are fine. For example a corporate web site that only members of that company should be using on an Intranet. You just push out trust via active directory profiles or tell everyone to click through and accept the certificate. Then you are only using certificates for 2) above really, you just want encryption of the traffic on the wire.  This is done frequently for things like network appliances (Load balancers, Firewalls etc) that have a web based management interface.
Then there is symetric certificate based encryption and authentication such as WPA2 Enterprise (802.1x) where both the server and the client have certificates and both must recognise and trust each others certificates for the connection to work. This frequently uses self signed certificates and there is no loss of security, the main application is corporate WiFi authentication.
Finally there is lab and testing where you just dont want the cost and pita of real certs you just want to test the software.
I think you'll find it's a bit more complicated than that.

Re: Booking flight on http website
« Reply #21 on: October 19, 2018, 10:36:21 am »
2)  Provides encryption keys for the traffic between you and the server

Rarely happens now. Using the public key from the certificate to help generate a session key is frowned upon. Most sites will use Diffie-Hellman key exchange for perfect forward secrecy once the initial trust is established.
"Yes please" said Squirrel "biscuits are our favourite things."

Re: Booking flight on http website
« Reply #22 on: October 19, 2018, 01:00:58 pm »
Ooh PFS I used to use that a lot when I worked on VPN concentrators years ago. I didn't realise it was used in HTTPS these days. Makes sense though. As you can tell my web security days are well behind me know. MACsec now there I am up to date :)
I think you'll find it's a bit more complicated than that.

Phil W

Re: Booking flight on http website
« Reply #23 on: November 01, 2018, 10:54:18 am »
Has your house been repossessed and your identity stolen yet?

As others have pointed out https is easy and free these days so no excuses. It will be a sign of their general approach to security. Their "server" probably sits in an Internet cafe in Russia with all your details free to browse in a text file.  You never did answer what the web URL was so others could take a look.

Re: Booking flight on http website
« Reply #24 on: November 03, 2018, 08:20:23 am »
Thanks for all the replies, I was a bit reluctant to mention the website, sorry, yes it would help a lot with the original question, it's:

China Eastern Airlines (China's second-largest by passenger numbers)
http://uk.ceair.com

I've had a look around and it seems a lot of the most used unencrypted sites originate from China.

I just did a test booking using fake details, the payment page seems to be all http except for some javascript from https://h.online-metrix.net. I blocked https://h.online-metrix.net on my actual booking so I would guess it's some data collecting site and not to do with processing online payments.