IGINDEX - It seems that HTTPS login now defaults to non secure http, from today

peakoil

Well-known member
Messages
257
Likes
38
Every day until today I was able to login to igindex on https://www.igindex.co.uk
As many of you know, https is standard secure protocol for web communications of passwords etc.

In other words, I was able to login on a secure protected connection, from my computer to their network at all times and at all points during the path of communication between enduser and them.

Today when I enter the weblink https://www.igindex.co.uk it now defaults, before I even have a chance to enter my login details, to:

http://www.igindex.co.uk

That is, logging in to IgIndex appears to be now permissible only on the normal insecure port 80 normal web protocol and so anyone who is very competent in computer security may be able to capture login details from a customer's computer to Index's. This is most unacceptable. Ig Index must at once restore the https protocol for logging in so that there is zero risk that login data may be captured by anyone wanting to do so with the wrong morals and right competence. I've already called them up and, as usual, I spoke with someone who said that as far as he was aware 'nothing has changed'. He say's logins become protected only *after* logging in. :rolleyes: :( Only allowing logins to be on the http protocol is ridiculous, and invites disaster, and Ig Index must again allow people to login from https as soon as possible!
 
You are mistaken, The front page is displayed by http but your login details are sent via https when you click the login button.

There is no security issue here. Doesn't matter whether the details you enter are on a http or https page, it's how they are sent that is important.
 
Ok please understand that it was only because (1) the page https://www.igindex.co.uk defaulted now to http and (2) that their customer support on the phone said that the details were protected after login that I had such doubt. I have since tested this on the network activity tab of my firewall and it does appear that part of the page (we can only assume the login details!!!) is transmitted by https. However, there is no guarantee that this is the case when the whole page is not in https. And it is that which still needs to be corrected so that we have all reassurance that all our data is securely being sent.
 
Ok please understand that it was only because (1) the page https://www.igindex.co.uk defaulted now to http and (2) that their customer support on the phone said that the details were protected after login that I had such doubt. I have since tested this on the network activity tab of my firewall and it does appear that part of the page (we can only assume the login details!!!) is transmitted by https. However, there is no guarantee that this is the case when the whole page is not in https. And it is that which still needs to be corrected so that we have all reassurance that all our data is securely being sent.

As I said - it doesn't matter that http://www.igindex.co.uk is not secure - that's irrelevant. You can enter what you like on that page, non of it gets transmitted to IG until you hit the submit button and what's transmitted when you DO hit the button is secure using https.

Do you understand? Forget what's on http://www.igindex.co.uk there's nothing transmitted on that page that contains any of your personal details so there's no need for it to be secure.
 
I have since tested this on the network activity tab of my firewall and it does appear that part of the page (we can only assume the login details!!!) is transmitted by https. However, there is no guarantee that this is the case when the whole page is not in https. And it is that which still needs to be corrected so that we have all reassurance that all our data is securely being sent.
No need to assume when you know. Install Firefox, install plugin called Tamper Data, go to igindex website, open Tamper Data plugin, login into your account. Then check logs in the tamper data window. You should notice that login was performed via https protocol. You can check that this is a login request by checking parameters of POST request. They should contain your account_id and password in clear text.
 
Just right click and view source, the login form uses https

<form action="https://www.igindex.co.uk/spread-betting/re_javascript_inactive.html" method="post" id="login" name="login" autocomplete="off">
 
"Do you understand? Forget what's on http://www.igindex.co.uk there's nothing transmitted on that page that contains any of your personal details so there's no need for it to be secure."

A most patronising response indeed. You are welcome to think it's stupid to question whether a page with a http address is secure or not. And when I enter my username and password details on www.igindex.co.uk, I MOST certainly do want to be sure that those details are transmitted securely so no, I do not accept your saying "there's nothing transmitted on that page that contains any of your personal details" when my password and username when entered on that page are most certainly precious to me. On the other hand a sincere thank you to both 6am & donalduke for answers which were far more useful than patronising.
 
Last edited:
why not have a chat with the guys and gals at IG? The tech people are a double friendly and helpful bunch iirc..
 
There is always a potential security hole, it's just different degrees of security.
 
I think Hoggums is right, there is no issue here.

I also take security seriously and I do know what I'm talking about.

Sure, the home page is http but when you login your login data is sent via https, then everything after that is also https, until you log out. I looked at a packet trace, yes, I'm bored at work not trading :(

The only exception to this is a GET request to clicktrace.net (alalytics provider) that sends a unique ID used for web visitor tracking which is something you find on almost every website these days.

Besides, unless you are working from a wireless network with weak or no encryption or some other public network, there's not much to worry about. It's more likley that their servers will be hacked via some other means (not that I'm saying this will happen, I'm sure they're on the ball when it comes to security) than your login details be lifted during transmission.

Just think what happened to SONY recently, https or not, it didn't make one bit of difference in the end.
 
  • Like
Reactions: tar
Sure, the home page is http but when you login your login data is sent via https, then everything after that is also https, until you log out. I looked at a packet trace, yes, I'm bored at work not trading :(

The link provided by peakoil mentiones following scenario.

Somebody in the middle between your computer and igindex servers modifies igindex page on the fly. Remember this page is not secure therefore it is possible for anybody in the middle to modify it. One possibility is to inject javascript which will collect your login credentials as you type and send it somewhere else even before you click "Login"

Here is an example http://www.ex-parrot.com/pete/upside-down-ternet.html
 
The link provided by peakoil mentiones following scenario.

Somebody in the middle between your computer and igindex servers modifies igindex page on the fly. Remember this page is not secure therefore it is possible for anybody in the middle to modify it. One possibility is to inject javascript which will collect your login credentials as you type and send it somewhere else even before you click "Login"

Here is an example http://www.ex-parrot.com/pete/upside-down-ternet.html

Like I said...unless you are working from a wireless network with weak or no encryption or some other public network...

In the example you provide, those victims were using a wireless network that wasn't even theirs, their data was compromised before it even reached the internet.

If someone couldn't secure their own network / internet access, I don't think they would be in a position to complain about IG Index's public landing page being https or not.

Anyway, if you could achieve the given example on the internet as a whole (seriously, have you any idea what would be involved?) you might as well just re-direct the user to a completley fake ig index site or something, but now we are taking about Hollywood scenarios rather than real-world ones.
 
No offense meant peakoil, but I suggest you talk to the nice guys at Ig - maybe they can explain it better. They dealt with a technical problem quickly when I had to contact them, one that was difficult to explain to the customer service on the telephone. I work for one of the largest banks writing trading software for mega-rich corporate customers with accounts that usually exceed 7 zeros, so it has to be accurate and I do know what I'm talking about.

However IG obviously has a customer who is not happy and whether his understanding is mistaken or not, I would suggest that they re-introduce the https home page if it makes their customers happier - it's not difficult or costly to do.
 
However IG obviously has a customer who is not happy and whether his understanding is mistaken or not, I would suggest that they re-introduce the https home page if it makes their customers happier - it's not difficult or costly to do.

I have to agree with you again, :rolleyes: My guess is they re-direct from https --> http on the landing page for SEO reasons.
 
No offense meant peakoil, but I suggest you talk to the nice guys at Ig - maybe they can explain it better. They dealt with a technical problem quickly when I had to contact them, one that was difficult to explain to the customer service on the telephone. I work for one of the largest banks writing trading software for mega-rich corporate customers with accounts that usually exceed 7 zeros, so it has to be accurate and I do know what I'm talking about.

However IG obviously has a customer who is not happy and whether his understanding is mistaken or not, I would suggest that they re-introduce the https home page if it makes their customers happier - it's not difficult or costly to do.

Hi Hoggums,

I also do not believe that the "new" IGINDEX way is the best way to secure a website and information. I've dabbled in website creation but I'm no expert by any means. Since you seem to be an expert, I ask you, would YOU have designed a trading website this way or would you place the complete app on a secure server?

I would also think that in these days of internet insecurity that any company would like to appear to be doing everything possible to keep customers info secure. I'm sure there are others who do not understand html, etc, and now wonder if the info is secure. As you say it's neither difficult or costly so why the change?

Thanks,

Peter
 
No offense meant peakoil, but I suggest you talk to the nice guys at Ig - maybe they can explain it better. They dealt with a technical problem quickly when I had to contact them, one that was difficult to explain to the customer service on the telephone. I work for one of the largest banks writing trading software for mega-rich corporate customers with accounts that usually exceed 7 zeros, so it has to be accurate and I do know what I'm talking about.

However IG obviously has a customer who is not happy and whether his understanding is mistaken or not, I would suggest that they re-introduce the https home page if it makes their customers happier - it's not difficult or costly to do.

Can I respectfully point the honourable member to the answer I gave on page one of this thread..Honestly, as if the IG techies haven't got this sussed and sorted..:rolleyes:
 
"Can I respectfully point the honourable member to the answer I gave on page one of this thread..Honestly, as if the IG techies haven't got this sussed and sorted.."

Just wondering if your ancestors didst, perchance, roll their eyes at those who thought the titanic could sink? Nearer to the present day, in the middle of May, no one could foresee what was coming days later for Sony?

And if there was a response from Ig techies about this, if anyone's else's tried contacting them, I'd like to see it too.

My point is, when it comes to data security, if there is any way to do things better, and the EFF page (that I linked above) shows how secure information should be utilised on the web, then it should be done the industry standard way, which is certified, strongly secure and verifiable by all interested parties. At present this is still not as it should be. But it was - until they re-routed https requests to http. So putting things back to the way they were isn't too much to expect of Ig Index when all I'm seeking is that they do things the very way that those who wish strongly to protect data of customers in the industry usually do: Https request = https page!
 
Top