BT.com, My Account, SSL and reporting the problem.

NickPaling — Thu, 05 Apr 2012 14:54:03 GMT

Logged in to my business account today from

https://www.bt.com/cmp/public/hub.do page and when it completed the browser crossed out the https and the padlock.

This usually indicates a web site that should be using SSL but isn't. My billing details were displayed. Knowing that the site was therefore not secure I hit sign out.

This produced the following

"Duplicate headers received from server
The response from the server contained duplicate headers. This problem is generally the result of a misconfigured website or proxy. Only the website or proxy administrator can fix this issue.
Error 350 (net::ERR_RESPONSE_HEADERS_MULTIPLE_LOCATION): Multiple Location headers received. This is disallowed to protect against HTTP response splitting attacks."

Now this sounds like a problem for BT.com's website team. I tried for two hours to report this problem. In the process being passed from one team to another. I was repeatably assured that the website was safe to use but if I felt it wasn't I could use the telephone or email to access my account.

For me this has rasied 3 issues

I couldn't get through to anyone who understood the problem.
I couldn't get to find who to talk to re the problem.
The agents who assured me that the site was safe to use need some further training before continuing with their day job.

Has anybody else noticed the issue?

Re: BT.com, My Account, SSL and reporting the problem.

kuerten — Sat, 21 Apr 2012 13:36:23 GMT

I wouldn't worry to much about it. It means that some parts of the webpage are only not encoded on SSL like javascript.

I can't pinpoint which part it is but overall, I would say the connection is secure. Btw, what browser are you using on this? Also try other browsers and see if the results are the same.

topic BT.com, My Account, SSL and reporting the problem. in Archive

BT.com, My Account, SSL and reporting the problem.

Re: BT.com, My Account, SSL and reporting the problem.