Learn, share, and get recognized

Learn more about the Apple Support Community >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: biowizard
biowizard Author
User level: Level 1
12 points

Logging Onto Apple Support Communities NOT SECURE?

Hi Guys,


I've just noticed, that while I was trying to log onto Apple Support Communities, the screen which asked for my Apple ID was being reported at "Not Secure" by my browser (Opera 32.0, on Windows 7/64).


Prior to logging on - and now that I am logged on - I get the "Apple Inc,[US]" confirmation on the URL screen, showing everything is encrypted.


But it seems to me to be a massive security issue that I had to expose my Apple ID in order to get here.


Please can someone either explain why this login is unencrypted - or reassure me it is secured in some other way.


Thanks.


Brian

Posted on Oct 6, 2015 2:46 AM

Reply
26 replies
User profile for user: ChitlinsCC
ChitlinsCC
User level: Level 7
20,924 points

Oct 6, 2015 11:20 AM in response to biowizard

*I have NO experience with Opera browser


I use Firefox (late model version TenFourFox 38.2.0 for my PPC Mac) - I have never seen what you describe.

User uploaded file

User uploaded file


My guess is that there was some "moment" in the process during THAT particular visit that Opera & Apple had some 'miscommunication'.


If this cannot be repeated, that is good evidence that it was a momentary anomaly.

Reply
User profile for user: turingtest2
turingtest2
User level: Level 10
272,881 points

Oct 6, 2015 11:43 AM in response to biowizard

Google Chrome suggests it is more a case of could do better, rather than not secure.


User uploaded file


I'm not sure what the 'other resources which are not secure' could be, but it may revolve around the way the 'global footer' is coded on the login page. Elsewhere these are simple links to http destinations but on the sign-in page there is some additional javascript function called by the links when they are clicked on. As far as I can tell there are no images, scripts or css resources that aren't fetched securely.


I shall bring this to the attention of the moderators.


tt2

Reply
User profile for user: turingtest2
turingtest2
User level: Level 10
272,881 points

Oct 6, 2015 1:15 PM in response to ChitlinsCC

See also https://www.ssllabs.com/ssltest/analyze.html?d=idmsa.apple.com&hideResults=on

vs. https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fdiscussions.apple.c om%2F&hideResults=on


Both get sites an A- for security, but there are more issues with the sign-in page. I don't think there is anything to worry about as such, except for those whose job is to keep everything as tight as possible who probably need to tweak a few settings.


tt2

Reply
User profile for user: BobTheFisherman
BobTheFisherman
User level: Level 9
79,387 points

Oct 6, 2015 1:49 PM in response to biowizard

biowizard wrote:


So it looks like a potential leak to me - OF OUR APPLE IDs ...


Anyone from Apple care to comment?


Brian

Apple isn't here. It does not look "like a potential leak to me - OF OUT APPLE IDs..." There may be links/images on the secure login page that are not located on a secure page but that does not mean the login is insecure.

Reply
User profile for user: ChitlinsCC
ChitlinsCC
User level: Level 7
20,924 points

Oct 6, 2015 2:10 PM in response to turingtest2

turingtest2 wrote:


See also https://www.ssllabs.com/ssltest/analyze.html?d=idmsa.apple.com&hideResults=on

vs. https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fdiscussions.apple.c om%2F&hideResults=on


Both get sites an A- for security, but there are more issues with the sign-in page. I don't think there is anything to worry about as such, except for those whose job is to keep everything as tight as possible who probably need to tweak a few settings.


tt2

Agree. You have started the snowball down the hill... I am sure it will get bigger. 🙂

Reply
User profile for user: turingtest2
turingtest2
User level: Level 10
272,881 points

Oct 16, 2015 7:12 AM in response to turingtest2

For what it is worth the "insecure elements" turn out to be these two images:


http://images.apple.com/global/elements/breadory/breadcrumb_bg.png = User uploaded file

and http://images.apple.com/global/elements/breadory/breadcrumb_sep.png =

User uploaded file


These images are in turn pulled in by https://ssl.apple.com/global/styles/base.css


It ought to be a trivial matter to move those two images to a secure server, or make images.apple.com secure and use secure references to them, nevertheless it is hard to see how modifying either of the images on their host server could pose a risk.


tt2

Reply

Logging Onto Apple Support Communities NOT SECURE?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up