IGINDEX - It seems that HTTPS login now defaults to non secure http, from today

peakoil

Well-known member
257 38
Every day until today I was able to login to igindex on https://www.igindex.co.uk
As many of you know, https is standard secure protocol for web communications of passwords etc.

In other words, I was able to login on a secure protected connection, from my computer to their network at all times and at all points during the path of communication between enduser and them.

Today when I enter the weblink https://www.igindex.co.uk it now defaults, before I even have a chance to enter my login details, to:

http://www.igindex.co.uk

That is, logging in to IgIndex appears to be now permissible only on the normal insecure port 80 normal web protocol and so anyone who is very competent in computer security may be able to capture login details from a customer's computer to Index's. This is most unacceptable. Ig Index must at once restore the https protocol for logging in so that there is zero risk that login data may be captured by anyone wanting to do so with the wrong morals and right competence. I've already called them up and, as usual, I spoke with someone who said that as far as he was aware 'nothing has changed'. He say's logins become protected only *after* logging in. :rolleyes: :( Only allowing logins to be on the http protocol is ridiculous, and invites disaster, and Ig Index must again allow people to login from https as soon as possible!
 

Hoggums

Senior member
2,176 877
You are mistaken, The front page is displayed by http but your login details are sent via https when you click the login button.

There is no security issue here. Doesn't matter whether the details you enter are on a http or https page, it's how they are sent that is important.
 

peakoil

Well-known member
257 38
Ok please understand that it was only because (1) the page https://www.igindex.co.uk defaulted now to http and (2) that their customer support on the phone said that the details were protected after login that I had such doubt. I have since tested this on the network activity tab of my firewall and it does appear that part of the page (we can only assume the login details!!!) is transmitted by https. However, there is no guarantee that this is the case when the whole page is not in https. And it is that which still needs to be corrected so that we have all reassurance that all our data is securely being sent.
 

Hoggums

Senior member
2,176 877
Ok please understand that it was only because (1) the page https://www.igindex.co.uk defaulted now to http and (2) that their customer support on the phone said that the details were protected after login that I had such doubt. I have since tested this on the network activity tab of my firewall and it does appear that part of the page (we can only assume the login details!!!) is transmitted by https. However, there is no guarantee that this is the case when the whole page is not in https. And it is that which still needs to be corrected so that we have all reassurance that all our data is securely being sent.
As I said - it doesn't matter that http://www.igindex.co.uk is not secure - that's irrelevant. You can enter what you like on that page, non of it gets transmitted to IG until you hit the submit button and what's transmitted when you DO hit the button is secure using https.

Do you understand? Forget what's on http://www.igindex.co.uk there's nothing transmitted on that page that contains any of your personal details so there's no need for it to be secure.
 

6am

Active member
154 11
I have since tested this on the network activity tab of my firewall and it does appear that part of the page (we can only assume the login details!!!) is transmitted by https. However, there is no guarantee that this is the case when the whole page is not in https. And it is that which still needs to be corrected so that we have all reassurance that all our data is securely being sent.
No need to assume when you know. Install Firefox, install plugin called Tamper Data, go to igindex website, open Tamper Data plugin, login into your account. Then check logs in the tamper data window. You should notice that login was performed via https protocol. You can check that this is a login request by checking parameters of POST request. They should contain your account_id and password in clear text.
 

donaldduke

Experienced member
1,665 256
Just right click and view source, the login form uses https

<form action="https://www.igindex .co.uk/spread-betting/re_javascript_inactive.html" method="post" id="login" name="login" autocomplete="off">
 

peakoil

Well-known member
257 38
"Do you understand? Forget what's on http://www.igindex.co.uk there's nothing transmitted on that page that contains any of your personal details so there's no need for it to be secure."

A most patronising response indeed. You are welcome to think it's stupid to question whether a page with a http address is secure or not. And when I enter my username and password details on www.igindex.co.uk, I MOST certainly do want to be sure that those details are transmitted securely so no, I do not accept your saying "there's nothing transmitted on that page that contains any of your personal details" when my password and username when entered on that page are most certainly precious to me. On the other hand a sincere thank you to both 6am & donalduke for answers which were far more useful than patronising.
 
Last edited:
B

Black Swan

0 0
why not have a chat with the guys and gals at IG ? The tech people are a double friendly and helpful bunch iirc..
 
B

Black Swan

0 0
Do you not think that IG have thought this through?
 

Apothecary

Junior member
20 1
I think Hoggums is right, there is no issue here.

I also take security seriously and I do know what I'm talking about.

Sure, the home page is http but when you login your login data is sent via https, then everything after that is also https, until you log out. I looked at a packet trace, yes, I'm bored at work not trading :(

The only exception to this is a GET request to clicktrace.net (alalytics provider) that sends a unique ID used for web visitor tracking which is something you find on almost every website these days.

Besides, unless you are working from a wireless network with weak or no encryption or some other public network, there's not much to worry about. It's more likley that their servers will be hacked via some other means (not that I'm saying this will happen, I'm sure they're on the ball when it comes to security) than your login details be lifted during transmission.

Just think what happened to SONY recently, https or not, it didn't make one bit of difference in the end.
 
  • Like
Reactions: tar

6am

Active member
154 11
Sure, the home page is http but when you login your login data is sent via https, then everything after that is also https, until you log out. I looked at a packet trace, yes, I'm bored at work not trading :(
The link provided by peakoil mentiones following scenario.

Somebody in the middle between your computer and igindex servers modifies igindex page on the fly. Remember this page is not secure therefore it is possible for anybody in the middle to modify it. One possibility is to inject javascript which will collect your login credentials as you type and send it somewhere else even before you click "Login"

Here is an example http://www.ex-parrot.com/pete/upside-down-ternet.html
 

Apothecary

Junior member
20 1
The link provided by peakoil mentiones following scenario.

Somebody in the middle between your computer and igindex servers modifies igindex page on the fly. Remember this page is not secure therefore it is possible for anybody in the middle to modify it. One possibility is to inject javascript which will collect your login credentials as you type and send it somewhere else even before you click "Login"

Here is an example http://www.ex-parrot.com/pete/upside-down-ternet.html
Like I said...unless you are working from a wireless network with weak or no encryption or some other public network...

In the example you provide, those victims were using a wireless network that wasn't even theirs, their data was compromised before it even reached the internet.

If someone couldn't secure their own network / internet access, I don't think they would be in a position to complain about IG Index's public landing page being https or not.

Anyway, if you could achieve the given example on the internet as a whole (seriously, have you any idea what would be involved?) you might as well just re-direct the user to a completley fake ig index site or something, but now we are taking about Hollywood scenarios rather than real-world ones.
 

Similar threads


AdBlock Detected

We get it, advertisements are annoying!

But it's thanks to our sponsors that access to Trade2Win remains free for all. By viewing our ads you help us pay our bills, so please support the site and disable your AdBlocker.

I've Disabled AdBlock