dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
638
share rss forum feed


balloonshark
Lets Go Mountaineers

join:2006-08-11
WV

Would you use Paypal if you didn't see the EV certificate?

I have seen this issue on two sites while shopping online. When I go to checkout and click "Checkout with Paypal" the green padlock will show in firefox for a brief moment and then I get the gray globe.

I know very little about certificates but when I click on the gray globe - more information - media I see an image that is not https. If I then click that image link in the box and click block images from that site and reload the page I can now see the green padlock.

If you want to give this a try yourself go to homedepot.com, add something to your cart, click checkout now and then click check out with paypal. When you look at the certificate you will see the non-https image link. If you click that link and then below click block images from homedepot.com and then reload the page you will see the normal green padlock.

My questions are, can you see this with other browsers or is a firefox only issue? I did give IE a brief go and I got a pop-up asking me if I only wanted to view the webpage content that was delivered securely. Is this a major issue? Would you enter your PayPal information without seeing the EV certificate or a padlock?

Edit: Here is a link to what the green padlock, gray padlock and gray globe mean in firefox. »support.mozilla.org/en-US/kb/how···s-secure

Also, please keep this topic here as it seems to be non-browser specific.
--
If we quit voting, will they all just go away?



Phoenix22
Death From Above
Premium
join:2001-12-11
SOG C&C Nrth

i use an extra layer w/ rapport and pp's niche card.......which you can order from pp via your pp account.......under security.........voila..........had it 4 3yrs now..zero issues



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to balloonshark

What your seeing is a mix of http/https content on a single web page AKA "mixed content"
Here's a Mozilla resources that explains it.
»developer.mozilla.org/en-US/docs···dContent
& a Microsoft page with an interactive demo on the potential downside of mixed content.
»ie.microsoft.com/testdrive/Brows···html?o=1

"Re: Would you use Paypal if you didn't see the EV certificate?
No, but in your examples a non-SSL PayPal page is never encountered. A "mixed content" Homedepot.com page with a link to PayPal is on homdepot's domain not PayPal's.



balloonshark
Lets Go Mountaineers

join:2006-08-11
WV

1 recommendation

Thanks for the links. If I wouldn't have stumbled onto the non-http pic at these sites and blocked it I wouldn't have bought from them. I'm afraid I still wouldn't know how to identify a mixed script page that seems to be the major threat.

I still think I'm seeing a mixed content paypal page. I may have misspoke in my instructions. Once you place an item in your cart you should get a pop-up. On this pop-up click "Check out now" in that pop-up. It should take you to your shopping cart where you need to click "Check out now with paypal". This is what I see.




Is that not a mixed content paypal page? It is the actual Home Depot image in the upper left corner that is not https. I have to block images from homedepot.com in order for the page to be secure. It a pain to do this because when your finished entering your paypal info it sends you back to a homedepot site without images.

Phoenix22, Thanks, I'll check out your suggestions.
--
If we quit voting, will they all just go away?

Curiosity

join:2001-10-01
Dawson Creek, BC
reply to balloonshark

If you briefly see a padlock, then a globe image, do not trust that site to make a purchase, because it means that some things on the page are not encrypted. If you click on the identity button (the globe), you will see a warning message.



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to balloonshark

said by balloonshark:

Is that not a mixed content paypal page? It is the actual Home Depot image in the upper left corner that is not https. I have to block images from homedepot.com in order for the page to be secure. It a pain to do this because when your finished entering your paypal info it sends you back to a homedepot site without images.

Yes, that's a mixed content PayPal landing page.
Microsoft has addressed the issue with Internet Explorer 9 or later displaying only the secure content by default.
Mozilla has the same function under current development.

Using IE9+ is the fast workaround while Mozilla get's it together.


balloonshark
Lets Go Mountaineers

join:2006-08-11
WV

Thanks Snowy. It's good to hear that firefox is working on a solution. It is a shame though that the web sites don't fix their own issues.
--
If we quit voting, will they all just go away?



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by balloonshark:

It is a shame though that the web sites don't fix their own issues.

The *issue* is the issue.
Someone coming from a knitting site sees mixed content as a useful feature while someone coming from a security site sees mixed content as a potential security hole while sites that code mixed content see it as a necessary/legit/evil sales tool.
It is good to see the browsers addressing the issue though.

Thanks for bringing up a security issue that's often overlooked due to being so commonplace.