Need Immediate Answers? Check out our SUPPORT CENTER or CONTACT OUR SUPPORT TEAM

Security of logging into Zenfolio

I am concerned about the basic security of the Zenfolio site. If I go to HTTP://www.zenfolio.com, I can enter my login details, but as far as I can see, the data is not sent via a secure connection. HTTP is not secure.
Support tell me that the data is sent over a secure SSL link, but there is nothing to indicate that it is. Some of their pages are secure HTTPS, but as far as I can see, not the main login page.
Has anyone already looked at this?

Comments

  • FlashflamingoFlashflamingo Member Posts: 4
    Thanks Andreas,
    I have been seriously thinking of using Zenfolio, it looks an ideal site for what I want, so I have been testing the security of the site/certificates.
    The purchase process seems to be perfectly secure. You can log in securely at the link you show, which is very good, but then on their main page you can also log in via HTTP, which is not secure. So you say....don't use this link, but that's not the issue. The issue is that Zenfolio appear to have a login page which is not secure. This is a very very fundamental failing and if I was a potential customer to buy an image, I would be very concerned by a site with has an apparant fundamental security failure on it's main page? No Company has a problem with Security until something goes wrong, then it tends to be very catastrophic for some people.
  • andreasweberandreasweber Stuttgart, GermanyMember Posts: 1,001
    Did you take a look at the code for the frame that appears on the main Zenfolio page when you click the login link?
  • FlashflamingoFlashflamingo Member Posts: 4
    Hi Andreas,
    Yes, I see the action, but it's on an insecure page. Until you run that script, nothing is secure on that page, not even the script itself!
    The secure log-in script could be replaced fairly easily and the user re-directed to another place.
    When you look on the web at 'using secure log-in scripting on an HTTP site', the debate opens to the wider one of what really is secure?

    http://ask.metafilter.com/139559/Are-login-boxes-on-http-pages-secure

    I think there is a definite vulnerability which would be removed by using a HTTPS front page, but there must be a reason why they choose to use this method.


    There is also the user perception of security. A log-in on HTTP is unconventional I would never use it for any financial transactions. I wouldn't even bother to look at the source code. I would assume the site is not safe.
  • andreasweberandreasweber Stuttgart, GermanyMember Posts: 1,001
    Your question was whether your data was sent over a secure connection - which it is. If you want to avoid the risk of a man-in-the-middle attack on the main page, go to the secure page. These kind of login boxes on the front page are very common today for anything but actual shopping pages (I guess the majority of users still values convenience higher than security ...)
  • FlashflamingoFlashflamingo Member Posts: 4
    Hi Andreas,

    Yes, as long as no one has replaced the script, my log in credentials are secure, but how are any of my potential customers to know, without looking at the page source every time.
    If some one did replace the script they could get the account details of anyone who logged in? The risk is small, but the potential outcome is always scary. I have also noticed different web browsers behave quite differently.
    I suppose I just have to weigh up the real risk for potential customers. Apart from this problem, I think the site is great and I want to use it.



  • ZeasideZeaside Member Posts: 8
    Zenfolio is utterly insecure, as far as the protection of your content goes. They even go as far as to rewrite specific calls to https:/secure.zenfolio.com to http://www.zenfolio.com! Zenfolio does not provide SSL/HTTPS over their backend. So don´t post any really valuable images on Zenfolio. Zenfolio does not elaborate as to why they do not, finally, integrate a fully secure backend. Also, Andreas, the age-old fairy tale according to which https is omehow inconvient is completely outdated. HTTPS could have been deployed ever since the 90´s - but in the beginning was never used, due to slow content delivery. This has not been the case any more, ever since around 5 years ago. There is simply no excuse whatsoever to actively leave paying customers prone to account hijacking etc, simply because Zenfolio would like to cash in big - thus not investing in server power that would cater for a default SSL/HTTPS backend. Zenfolio is highly insecure!
  • andreasweberandreasweber Stuttgart, GermanyMember Posts: 1,001
    Zeaside said:

    Also, Andreas, the age-old fairy tale according to which https is omehow inconvient is completely outdated.

    You might want to read what I wrote before ascribing a statement to me I never made ...

    I completely agree that security with Zen leaves a lot to be desired.
  • Kevin KrowsKevin Krows United StatesMember Posts: 1,463
    Andreasweber - Move on. Some people don't take good advice and don't want to do the work. Don't waste any more of your valuable time on this one.
  • Gordon BatesGordon Bates Member Posts: 2
    Thank goodness they finally adopted HTTPS. I used to gripe o them about this all the time, until on of their 'customer service' representatives told me that I am free to use one of their many competitors, if I dont like how they are running their show. I was poking around with my hacking computer one time, and I managed to pull a man in the middle, steal my own login cookie, change prices, and alter the content of my website, without actually entering my login or password to log in. That's not good. Sounds like a pretty effective way to troll someone's website who you dont like or whatever. And of course they arent liable for it- they have the get out of jail free card, called Terms of Service (which nobody actually reads and they know that).

    I have since tried MITM with their new HTTPS connection, and no such luck. So at least there is that.
Sign In or Register to comment.