New Poster
•
1 Message
Page not secure.
My xfinity email web page keeps switching to "not secure" when I open a new tab. I am using Chrome browser. When I reload the page it goes back to secure.
I encountered this problem after I unhooked my router for a short time.
I have gotten a refreash on the router and have downloaded the latest chrome update and nothing helps.
hipcheck1010
New Poster
•
3 Messages
4 years ago
as of 3/17/2020 - I can confirm this issue.
CHROME (latest ver.) reports email from Xfinity in my Xfinity inbox has being Not Secure.
FIREFOX (latest ver.) reports email from Xfinity in my Xfinity inbox has being Not Secure (possibly images).
MS Edge (latest ver.) does not seem to have an issue with any emails in my Xfinity inbox.
How best to report this to Comcast?
0
0
hipcheck1010
New Poster
•
3 Messages
4 years ago
Correction.
MS Edge also now returns 'not secure'
Be Careful Here.
Some some content on this page is not encrypted, which make it possible ...
0
0
XfinityCSAEmail
Official Employee
•
1K Messages
4 years ago
@hipcheck1010
@bcollin2
The encryption is active during the "login" phase of your interaction with the website because you are sending authentication packets over the internet. Once your authentication token has been established, it no longer requires for the traffic to be "secure" because the data is stored server side. When you type up an email for example, you arent sending a data packet of information over the internet - the server is, which is already encrypted on the Comcast side. The only part for vulnerability after you have established your authentication to your account/email is if your device is compromised(ex: Malware, keylogger, Remote Access Tool, etc.).
0
hipcheck1010
New Poster
•
3 Messages
4 years ago
What you say makes sense, until one considers the statement "Once your authentication token has been established, it no longer requires for the traffic to be "secure" ".
Why does it no longer require a secure page? and what is the 'it' referenced here? the token?
Is it not possible to display server side data on a secure webpage?
0
0
XfinityCSAEmail
Official Employee
•
1K Messages
4 years ago
@hipcheck1010 you are no longer sending data packets with your password/security question/etc. over the browser. You have established an active session where all data you input to the website becomes stored on the Comcast server side.
0
0
BruceW
Gold Problem Solver
•
25.7K Messages
4 years ago
With respect, you may want to read up on "Mixed Content / MITM Vulnerabilities". See https://www.google.com/search?q=mixed+content+pages+MITM. Though not common, insecure content on otherwise secure pages poses a security problem.
0
0
XfinityCSAEmail
Official Employee
•
1K Messages
4 years ago
you are correct and the vulnerability are network traffic sniffers, which would be from either something pre-existing on the device in the form of an infection or by connecting to an unsecured wifi connection, which at that stage regardless if the data is encrypted, someone has already captured it in its encrypted form. Man in the Middle/mixed content is only effective presuming that we dont audit our own webmail service when ads/images/content are displayed allowing someone to effectively place unsecure content directly into the webmail content. A form of it is still liable, which would also fall on the device itself having a fault/infection. The vulnerability sure does exist, but not from the webmail interface on the Comcast side.
EDIT: To clarify, Comcast does audit our webmail service for security issues actively to ensure MiM attacks cannot happen. There have been well documented instances where a large website was compromised due to what you are referencing - where an advertisement system used on a webpage was utilized to insert malicious content and steal account credentials for thousands of accounts on said website. To reiterate, majority of the content displayed on our webmail service comes internally from our own servers(closed data loop - the data never leaves our servers - meaning the data is secure even though your browser claims otherwise) or if we utilize an advertising service - they do have a screening/security verification they have to meet before displaying content on our webmail platform.
0
0
ronso21
Regular Visitor
•
4 Messages
4 years ago
Comcast has an invalid certificate applied to the connect.xfinity.com site.
0
0
BruceW
Gold Problem Solver
•
25.7K Messages
4 years ago
The image you posted isn't visible. It looks like this:
It's probably because the image requires moderator approval. That might take some time, from a few hours to a day or so. Alternatively, you could upload the image to a file sharing site and post a link to it here, or post text instead of an image.
0
0
ronso21
Regular Visitor
•
4 Messages
4 years ago
Image showed the security certificate for the connect.xfinity.com portal. All browsers are reporting the certificate is not issues by a trusted certificate signer. Certificate is issues by " Bad Server Certificate [invalid server certificate]"
0
0
Follly
Contributor
•
39 Messages
4 years ago
Yes, this is what I am getting too. What gives with Comcast?
0
0
RDeckard
New Poster
•
1 Message
4 years ago
This doesn't make sense because regardless of what I'm doing in my Chrome browser while on the xfinity webmail, 100% of the time, I see the secure lock icon.
0
0