Seize the Deal and SSL

Got this question via email and thought the answer would be a good post.

I wanted to buy the seize the deal of the day from, but, when I was checking the security of the webpage, in all three browsers, (chrome, explorer, and firefox), I got the lock symbol with a red strike through it and the https with a red strike through it on the chrome browser. — question via email

Answer: The initial “non-SSL” warning is only for the login form. The truth is that it is actually secure assuming the form is submitting to a secure page (you have to know how form submission over SSL works). Also, you may get warnings about certain elements of a page (images, etc) that are non-SSL especially if they are pulled in from outside domains.

However, the real thing is whether the CC information submission is over SSL. That is the only part you have to truly worry about for financial security.

With that said, if you are signing into your account non-SSL – and you are on a non-secure wifi connection or a wired connection (like at work), then someone sniffing the traffic can snag your information.

That was the issue with the Firesheep extension for Firefox. The truth is that tools have been available since the beginning of networks to sniff and analyze traffic. It was not any sort of “hacking” at all, contrary to the moronic news coverage. Firesheep just made it easier to analyze packets.

If you are on a WPA encrypted wifi connection, then Firesheep doesn’t work without some extensive man-in-the-middle attacks, which the casual Firesheep user will have no knowledge of.  If your session is SSL (such as Gmail’s login), then Firesheep doesn’t work.