Solved A question re. http and https

[FranzB]

I have a long running feud with my internet provider. They have a site where i can log in to view my personal data (email, bills, etc.) and my user name and password has to be given. This is an http site! However, when you do log in on this http site you are transferred to an https site. ???????????
My point is that the transfer of my user name and password is not secure since it is done via an http connection. They deny and claim everything is secure.
The funny (but not haha) part of it is that they also have an https site where you can log in (found when googling but way down in the listings given by Google).

I am confused. Totally.
They even told me once i had a redirecting virus. Nonsense, of course, because google gives the https as well as the http site for logging in.
Any information to clear up my confusion? Am i nuts or are they?

 

[tom982]

Hello FranzB

Don't worry, they are the incompetent ones. You're perfectly right about the dangers of using http over https. Have you seen this addon before? If forces https to be used wherever possible

https://www.eff.org/https-everywhere

Tom

 

[FranzB]

Hello FranzB

Don't worry, they are the incompetent ones. You're perfectly right about the dangers of using http over https. Have you seen this addon before? If forces https to be used wherever possible

https://www.eff.org/https-everywhere

Tom

Thanks, Tom, for the link.
What especially gets me is that you can login to your account on an http webpage but that the page you get then and where you can click on several options (e.g. the bills) is an https. It's simply weird. And then the help desk telling me that i have a redirect virus. It took me hours checking with all kinds of programs. And it's not just any provider (the old Postal Services). After three months and three emails they called me by phone today and asked whether the problem was solved. They don't even check themselves. Idiots.

 

[seavixen32]

Purely out of interest, which ISP do you use?

It might pay you to shop around and consider switching.

I did recently and got a better telephone,TV and broadband bundle AND a £20 ($35) a month saving.

 

[FranzB]

@ seavixen32

Well, i don't know whether i should give the name here -- they might take legal action for "false accusations" should they see it. But it is not any GB or US provider. And i am on an old "grandfather" clause whereby they don't check my traffic (in MB). So no bundle to pay for and the speed is ok. They tried, however, to have me change my subscription which i declined, smiling.

 

[logicearth]

Since I cannot see the page in question. Is the form where you are putting the details of your user account, does the URI in the "action" attribute use HTTPS or HTTP as the scheme. If the "action" attribute has an HTTPS scheme then the values of your username and password are sent over a secure line, even if the page is served as HTTP. As long as the form's "action" attribute is HTTPS.

 

[FranzB]

Since I cannot see the page in question. Is the form where you are putting the details of your user account, does the URI in the "action" attribute use HTTPS or HTTP as the scheme. If the "action" attribute has an HTTPS scheme then the values of your username and password are sent over a secure line, even if the page is served as HTTP. As long as the form's "action" attribute is HTTPS.

Hmmm......... how do i find out? The page on which i fill in my username and password is shown in the address bar as http or www. What happens when i ckick on the "login" button i don't know. How do you find out? Take the sevenforums.com page as an example. Is it a secure login when i have given my username and password? Even when i am logged in (as now when i am writing this posting) it still shows www.sevenforums etc. in the address bar, i.e. no sign of https.

 

[FranzB]

And another thing. Even if it is like you suggest, then why have an http as well as an https page where you can login?
Doesn't make sense. Why not simply remove the http page from the net?