Virgin Mobile

Your website is not fully secure

SOLVED
Highlighted
Enthusiast

Your website is not fully secure

Google says the front pages of your site are fully secure.  But once logged into my account it says it's not fully secure.  This is definitely NOT what you want to see on a page where you're entering credit/debit card information!

unsecure.jpg

 

1 ACCEPTED SOLUTION

Accepted Solutions
Agent

Re: Your website is not fully secure

Thanks for bringing this to our attention. We definitely value your feedback and we’ll be sure to pass it on. 

15 REPLIES 15
Agent

Re: Your website is not fully secure

Hello, Offworld. Our website is official and secure. The ranking of Google has nothing to do with us.

 

If you have any other question or concern, feel free to reply. We're here to help!

Enthusiast

Re: Your website is not fully secure

It's not a "ranking" from Google.  It's a security assessment and it says your site is NOT fully secure.  Firefox browser gives a similar warning.  Safari won't show the padlock once I'm logged into my account.  What it means is that there is content, such as images, on those account pages that are being delivered from a non-secure server.  Someone could stage a man-in-the-middle attack by intercepting and replacing that content with something malicious because it is not secure.  The FRONT of your site is secure.  It's the "My Account" area once logged in that is not, which disturbingly includes pages where people are entering credit/debit card information.  Your server administrator needs to fix this!

Agent

Re: Your website is not fully secure

Most likely you have "mixed content". Visitors to sites protected by SSL expect (and deserve) security and protection. When a site doesn’t fully protect or secure all content, a browser will display a “mixed-content” warning. Mixed content occurs when a web page containing a combination of both secure (HTTPS) and non-secure (HTTP) content is delivered over SSL to the browser. Non-secure mixed-content-error content can theoretically be read or modified by attackers, even though the parent page is served over HTTPS. To fix this you would need to be able to identify the non secure content within the code of the site. Most common day browsers like Google Chrome and Mozilla Firefox have an ability to look at the code in a developer stance meaning its like  debugger console built into the browser. In Google Chrome you would right click on the page that is displaying the warning and select "Inspect." On Mozilla Firefox same idea but they call it "Inspect Element." Once you have done look for any "Mixed Content" warnings. If you are using word press also make sure that you install a "Force SSL" plugin to automatically make all pages ssl secured.

 

Hopefully this helps!

Enthusiast

Re: Your website is not fully secure

Ok, you copied and pasted that from the second search result on Google, an answer on GoDaddy forums which is telling someone how to configure their WordPress website so it doesn't serve mixed secure and insecure content.

I'm not looking for a solution, I'm just trying to make you aware that the Virgin Mobile website is not fully secure when I'm logged into my account.  This is nothing that I, nor any other customer can fix. Your server administrator has to fix it.  It's on your end, the Virgin Mobile server is not configured correctly and/or the account pages need to be recoded to stop pulling content from a non-secure source.

Agent

Re: Your website is not fully secure

Thanks for bringing this to our attention. We definitely value your feedback and we’ll be sure to pass it on. 

Whiz Kid

Re: Your website is not fully secure

Apparently not....

I see the same message when I open the "My Account" app that comes pre-installed on your phone.

I'm not sure why this would happen, since it's not very useful to have an app designed to access your site, which can't even do the one thing it was made to do.

Whiz Kid

Re: Your website is not fully secure

I have also seen this message, even when using the pre-installed "My Account" app that came with my phone. It won't even let me attempt to connect anyway, which makes the app useless. I have to use a computer, or call in to get anything done.

Agent

Re: Your website is not fully secure

Hello, @gort209. Our team is looking into it. In case you're experiencing difficulties to perform changes through the My Account app, we suggest you try clearing the data or cache of the application. Also, feel free to get in contact with us if you need assistance. We're here to help. 

Whiz Kid

Re: Your website is not fully secure

I'm also having a problem with trying to order a new phone for my mother whos had an account with you guys since I signed her up a few years ago. Which worked fine back then. Now however, your website is full of CORS errors and also the OP is 100% right you have unsecure files being served. My background, Linux System Administrator and Full Stack developer. 

Heres your issue:
 Screenshot from 2019-04-29 12:22:36.png

On top of this you have scripting errors on all kinds of things, such as the following: 
GET https://www.virginmobileusa.com/etc/clientlibs/virginmobile-aem/global/assets/styles/global/assets/f... net::ERR_ABORTED 404 (Not Found)
--
Some incompetant administrator is trying to link backend files that are not being served on your webserver (apache or nginx I didnt check which.) This is only the start of the issues, there is plenty more. 
Screenshot from 2019-04-29 12:33:28.png
As you can see here, the ERR:NAME not resolved is meaning that website link doesnt even work, try going to it youll see DNS resolve issue (wont load) And this is tied to anyone when they go to login. Also again note that the my account is serving non HTTPS as OP mentioned. This is only the start theres many other issues including some CORS https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

You really do need to get someone to fix these issues, I cant imagine the pain support staff have to put up with due to the problems this is causing many people and driving business away over a few simple fixes by a competant sysmin/dev.

My problem is still persisting, most likely due to the PO Box change which is unheard of from most businesses making the shipping and billing the same. Literally had to get a new creditcard just for her to use home address.. which is literally idiotic to which even the bank stated.

/endrant