Am I experiencing a security breach when I access a HTTPS site and can still view my personal inform
There is a Web site that can go into (HTTPS) to see some personal share plan. When I finish logging in and I change the URL so it says HTTP://WWW? (Instead of HTTPS), I can still roam around my own personal Web pages which shows me my own details. When I go to the menu bar to change my password (as I wanted to see if it would transmit passwords in clear text over the internet), it opened another window. The window stated at the title bar that it was a secure page but when I right clicked on it and checked properties, it wasn't a secure page.
I'm not too sure about the risk is. I can only see my pages (and my session has associated token with it), but I imagine it could be tidied up. As a comparison, when I go to my secure banking pages, if I do change the URL to a non-HTTPS whilst in the middle of the session, it kicks me out to the initial login window with HTTPS.
Any comments about the risk?
The risk is that confidential information is sent via clear text without encryption to you while using http. While the ability to see some of the information through http may not be a great risk, particular information such as social security number, address, name, and other identifiers that could be used for identity theft are a greater concern. As to the password change page, there may be a mechanism that encrypts the password in the form when it is sent, but this isn't clear. The use of https and ssl to encrypt a channel to communicate provides a great deal of protection for your information.
On the surface, your bank requires all information to be communicated this way, hence the kick out when you try to go to http. The personal share plan has a different view. While it will probably get some strange responses from their customer support staff, if you feel it is compromising to your information, contact them. Who knows, maybe it is an oversight, or a configuration error, or at worse, maybe they haven't considered all the security implications involved with their application.
This was first published in September 2003