Just for clarity, the main site page, which is https encrypted is here: https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/Content/trials#dont-wantmhr
It links to the http unencrypted opt-out page. It isn't a case of somebody entering a URL manually, it is the only link from the main site. Regards, Michael Skeggs On 4 April 2016 at 11:34, Craig Sanders <[email protected]> wrote: > On Mon, Apr 04, 2016 at 11:12:03AM +1000, Bernard Robertson-Dunn wrote: > > If you wish to opt-out of the MyHealthRecord trials you can go to this > site. > > http://www2.medicareaustralia.gov.au/pext/optoutextweb/optout.xhtml > > > > A few clicks takes you to a page where you can fill in identity details > > > > That page asks for name, date of birth and Medicare number and one of > > driver licence number > > passport number > > or immicard number > > > > Would someone please confirm that all this is being done in the clear? > > i.e. it's not https > > 1. The page is also accessible as > https://www2.medicareaustralia.gov.au/pext/optoutextweb/optout.xhtml > > Most of the links in the page source seem to be relative links, so > if you enter the site using the https:// url rather than http:// > it seems probable that the entire session will be encrypted. > > of course, this also means that if you enter the page using the http:// > url, everything will be unencrypted. They really ought to have the web > server redirect http:// requests to the https:// site. > > 2. the page requires javascript, so i was unable to investigate beyond > the first page. Later pages may have absolute http:// URLs. Don't > know. > > is there any other way to opt out? preferably one that doesn't require > me to allow the government (and/or whoever they've outsourced the web > site to) to run arbitrary javascript code on my computer. by phone, > perhaps? > > 3. The page contains several links to https://myhealthrecord.gov.au > hidden behind containers that are revealed by javascript, but the main > "Go back to myhealthrecord.gov.au" link at the top of the page is http > rather than https. Probably a careless mistake. > > craig > > -- > craig sanders <[email protected]> > _______________________________________________ > Link mailing list > [email protected] > http://mailman.anu.edu.au/mailman/listinfo/link > _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
