Jump to content

Security being what it is along with the clever approach hackers take to gain access to you wall...

G+_Rud Dog

By G+_Rud Dog,
in Know How

 Share

Recommended Posts

G+_Rud Dog Newbie

G+_Rud Dog

Posted
Posted

Security being what it is along with the clever approach hackers take to gain access to you wallet thought I would share something I ran into while surfing the web.

Ordered product from a website some years ago, recently contact was made on their behalf via my email. They offered discount and thought why not.

During our email conversations went to log on to the website but was surprised it did not show up in my password managers database. This was something thought to be odd so I copied the web address from the email and pasted into notepad.

Now from listening to Steve Gibson's talks about http verus https, the web address used http://www.thename.com but when it was reviewed in notepad it was http://thename.com.

Am I over thinking this one or am I looking at a security risk using this site under http? Also why are they masking the the url with WWW.thename.com?

Appreciate any input you all might provide.

 

PS

Those are fake addresses for use in my post as examples did not know they would link to anything so don't bother following the links.

 

Link to comment
Share on other sites
G+_Travis Hershberger Newbie

G+_Travis Hershberger

Posted
Posted

Well, "thename.com" would be the domain name. In other words, the important bit. You can have all kinds of sub domains under "thename.com". "www.thename.com" just happens to be the one that web browsers will go to if they can't find a valid page. Other common ones are ftp, mail, secure. They can be anything really. So look at the domain, and make sure a traceroute takes the same route in between you and the domain/sub domain if your suspicious.

Link to comment
Share on other sites
G+_Rud Dog Newbie

G+_Rud Dog

Posted
  • Author
Posted

Thank you Travis. Isn't https the new improved security address header over http? Thought browsers were supposed to hiccup and cough when they tried to go http after a certain date. Going on my weak memory so I apologize if it is watered down explanation based on watching SG's show covering this subject. The good news is the main topic stuck with me and that is a credit to SG's outstanding delivery on topics.

 

Sorry about the extra mustard just felt like typing this morning.

Link to comment
Share on other sites
G+_David Peach Newbie

G+_David Peach

Posted
Posted

Legitimate sites can still be http, but if it is something that is asking you to log in, it really should be https. Though it is possible to have a secure login with http, it is not the preferred way.

 

As a side note, I saw a new one the other day. It was a domain like http://security.microsoft.com-criminal.info. So everything before the .com-criminal.info is a subdomain as Travis Hershberger explained. But a quick glance at it seemed like it was taking you to security.microsoft.com.

Link to comment
Share on other sites
G+_Travis Hershberger Newbie

G+_Travis Hershberger

Posted
Posted

Rud Dog IMO: Everything should be https now. If you're at a site and being asked to login without it, run away and never look back!

 

With LetsEncrypt up and running, no website has an excuse to not use it. Even my personal site that doesn't have anything but a landing page on it yet has an always redirect rule (www.travisdh1.net if you like looking at the default CentOS landing page :P )

Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...