IET
Decrease font size
Increase font size
Topic Title: Secure Login
Topic Summary:
Created On: 04 August 2012 06:25 PM
Status: Read Only
Linear : Threading : Single : Branch
Search Topic Search Topic
Topic Tools Topic Tools
View similar topics View similar topics
View topic in raw text format. Print this topic.
 04 August 2012 06:25 PM
User is offline View Users Profile Print this message



mbirdi

Posts: 1907
Joined: 13 June 2005

When is the IET going to offer secure logins to the forums, or is this something beyond their budget or technicial capabilities?
 04 August 2012 10:51 PM
User is offline View Users Profile Print this message



ectophile

Posts: 526
Joined: 17 September 2001

So far as I can tell, it does use https. However, it's all hidden - there doesn't appear to be a separate https login page.

-------------------------
S P Barker BSc PhD MIET
 05 August 2012 04:49 PM
User is offline View Users Profile Print this message



mbirdi

Posts: 1907
Joined: 13 June 2005

Originally posted by: ectophile
So far as I can tell, it does use https. However, it's all hidden - there doesn't appear to be a separate https login page.

As far as I can see I can login unsecured then click on 'My IET' button which takes me to a secured (https) page.

This is pretty much useless as anyone (on the network) could capture my unsecured login password and have full access to do havock on the forums (not that I'm entirely innocent on that score ) and view details about me and change things as they please.

The same can happen to anyone. Access needs to be made more secure.
 06 August 2012 05:08 PM
User is offline View Users Profile Print this message


Avatar for rossall.
rossall

Posts: 1048
Joined: 06 August 2001

Thanks for raising this. ectophile is correct that log-ins are submitted under HTTPS.

The IET takes security very seriously, and will continue to maintain and upgrade its systems. These are also subject to regular third-party audits.

We'll keep reviewing the design and introducing changes as appropriate.

Regards

-------------------------
David Rossall
The Institution of Engineering and Technology
 08 August 2012 07:50 PM
User is offline View Users Profile Print this message



mbirdi

Posts: 1907
Joined: 13 June 2005

Just to be clear on this.

When I enter my username and password in the white boxes, which are echoed back to me (though password is in dotted fortmat) the page is still in non-secured http mode. Therefore anyone can potentially capture my login details as I enter them.

It's only when I hit the green 'Login' button that I am then taken to a secured https page. But by then it's to late as far as security is concerned.

We should be taken to a secured https page after hitting the green Login button. Then allowed to enter our details to be authenticated. That's how the Banks do it.
 08 August 2012 11:56 PM
User is offline View Users Profile Print this message


Avatar for rossall.
rossall

Posts: 1048
Joined: 06 August 2001

That's not correct.

You can enter your username and password on almost any page. That page has already been delivered to your PC (as you say, under HTTP), so that you can view it. When you key your password, you're just putting it into your local PC.

When you then submit the form with your username and password, you do so to this page: https://logon.theiet.org/login.cfm

That's under HTTPS, so your login is protected. That's not to say that there are no benefits to having the username/password form under HTTPS, so we are looking at it as part of the normal process of review that I have mentioned.

Levels of security need to be appropriate to the context. Bank-level security comes at a cost to the provider and to the user - for the latter, it's in the form of the inconvenience of one-time passwords or other additional security measures, that would not be used on most Web sites.

On the other hand, the IET is very aware that it holds members' personal data and conducts financial transactions, and must take measures accordingly.

Hope this helps.

Regards

-------------------------
David Rossall
The Institution of Engineering and Technology
 09 August 2012 07:41 PM
User is offline View Users Profile Print this message



mbirdi

Posts: 1907
Joined: 13 June 2005

Thanks for the clarification.
Statistics

See Also:



FuseTalk Standard Edition v3.2 - © 1999-2014 FuseTalk Inc. All rights reserved.