Thu, 29 Nov 2012
Secure Login at Alza.CZ
Here is how the "secure" login works at alza.cz, one of the biggest e-shops in the Czech Republic:
In the login form, user can click to the link named "SSL", which leads to the SSL-encrypted page with an alternative login form. The problem is, that this page apparently sends the login form data unencrypted, so the usage of SSL to display the login form is completely pointless.
3 replies for this story:
I agree, their login form is weird. I checked it with firebug and fortunately the credentials are not sent over in plaintext - it's still HTTPS. It seems that something in the way they are sending them confuses the browser - they are not using a standard HTML form, they are sending the credentials using XHR request. The login doesn't even work with JS turned off.
Ty máš co kritizovat...spíš si oprav CSS. http://imgur.com/PBm7C
Yenya wrote: Re: toto
Well, the "official" URL of my blog does not start with https, so it is not my problem that it contains http-only images or whatever when accessed over https. Also, there are no private data sent over the net during communication with my blog (as opposed to Alza.cz).