Community Forum

Page not secure.

Highlighted
New Poster

Page not secure.

My xfinity email web page keeps switching to "not secure" when I open a new tab. I am using Chrome browser.  When I reload the page it goes back to secure.

I encountered this problem after I unhooked my router for a short time.

I have gotten a refreash on the router and have downloaded the latest chrome update and nothing helps.

Highlighted
New Poster

Re: Page not secure.

as of 3/17/2020 - I can confirm this issue.

 

CHROME (latest ver.) reports email from Xfinity in my Xfinity inbox has being Not Secure.

 

FIREFOX (latest ver.) reports email from Xfinity in my Xfinity inbox has being Not Secure (possibly images).

 

MS Edge (latest ver.) does not seem to have an issue with any emails in my Xfinity inbox.

 

How best to report this to Comcast?

 

Highlighted
New Poster

Re: Page not secure.

Correction.

MS Edge also now returns 'not secure'

Be Careful Here.

Some some content on this page is not encrypted, which make it possible ...

 

 

Highlighted
Official Employee

Re: Page not secure.

@hipcheck1010 

@bcollin2 

The encryption is active during the "login" phase of your interaction with the website because you are sending authentication packets over the internet. Once your authentication token has been established, it no longer requires for the traffic to be "secure" because the data is stored server side. When you type up an email for example, you arent sending a data packet of information over the internet - the server is, which is already encrypted on the Comcast side. The only part for vulnerability after you have established your authentication to your account/email is if your device is compromised(ex: Malware, keylogger, Remote Access Tool, etc.). 


I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: CARE, Product, Leadership. We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Highlighted
New Poster

Re: Page not secure.

What you say makes sense, until one considers the statement "Once your authentication token has been established, it no longer requires for the traffic to be "secure" ". 

 

Why does it no longer require a secure page? and what is the 'it' referenced here? the token?

Is it not possible to display server side data on a secure webpage?

Highlighted
Official Employee

Re: Page not secure.

@hipcheck1010 you are no longer sending data packets with your password/security question/etc. over the browser. You have established an active session where all data you input to the website becomes stored on the Comcast server side. 


I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: CARE, Product, Leadership. We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Highlighted
Gold Problem Solver

Re: Page not secure.


@ComcastCSAEmail wrote: ... Once your authentication token has been established, it no longer requires for the traffic to be "secure" ...

With respect, you may want to read up on "Mixed Content / MITM Vulnerabilities". See https://www.google.com/search?q=mixed+content+pages+MITM. Though not common, insecure content on otherwise secure pages poses a security problem.

Highlighted
Official Employee

Re: Page not secure.


@BruceW wrote:

@ComcastCSAEmail wrote: ... Once your authentication token has been established, it no longer requires for the traffic to be "secure" ...

With respect, you may want to read up on "Mixed Content / MITM Vulnerabilities". See https://www.google.com/search?q=mixed+content+pages+MITM. Though not common, insecure content on otherwise secure pages poses a security problem.


you are correct and the vulnerability are network traffic sniffers, which would be from either something pre-existing on the device in the form of an infection or by connecting to an unsecured wifi connection, which at that stage regardless if the data is encrypted, someone has already captured it in its encrypted form. Man in the Middle/mixed content is only effective presuming that we dont audit our own webmail service when ads/images/content are displayed allowing someone to effectively place unsecure content directly into the webmail content. A form of it is still liable, which would also fall on the device itself having a fault/infection. The vulnerability sure does exist, but not from the webmail interface on the Comcast side. 

 

 

EDIT: To clarify, Comcast does audit our webmail service for security issues actively to ensure MiM attacks cannot happen. There have been well documented instances where a large website was compromised due to what you are referencing - where an advertisement system used on a webpage was utilized to insert malicious content and steal account credentials for thousands of accounts on said website. To reiterate, majority of the content displayed on our webmail service comes internally from our own servers(closed data loop - the data never leaves our servers - meaning the data is secure even though your browser claims otherwise) or if we utilize an advertising service - they do have a screening/security verification they have to meet before displaying content on our webmail platform. 


I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: CARE, Product, Leadership. We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!