WojtylaKarol wrote:Hi, just wanted to raise the attention of devs to an security issue with their havenandhearth.com webpage.
If the user specifies havenandhearth.com search bar, by default he will be directed to unencrypted "http://havenandhearth.com", it wouldn't have been an issue if it was just for content viewing purposes but the log in functionality also will allow the user to login via http protocol. That could lead to the accounts of users being stolen in case of somebody along the way capturing the data in traffic. The https version of the website is already set up and as a best practice it would be useful to set up a redirect on the server side to redirect all browser traffic coming to http to https instead.
Sadly, this is inevitable considering modern-day browser design. When you visit
https://havenandhearth.com, you get to see this:
Suggesting that by using HTTPS, their passwords and credit card numbers will be stolen. There is no option to continue, only a 'back to safety' option implying the HTTPS connection is the opposite of safety. Should the user be brave enough to click Advanced in an attempt to proceed regardless, the browser further tries to persuade the user to use the unprotected HTTP connection instead:
Again, you are being attacked, and continuing would be unsafe. Even if you continue, the address bar will contain a red 'unlocked lock' icon indicating the connection is dangerous and unsafe.
In contrast, going to the HTTP version of the same site will just display the site immediately without any warnings or issues, and you only see a black text 'Not Secure' next to the address bar (which is very different from the more alarming 'unsafe', suggesting you are merely unprotected rather than suggesting you are being attacked). To reassure the user they are safe and not under attack, they must be redirected to the insecure version of the page which is vulnerable to such attacks.
Web browsers in 2021.