[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security of Web registration of Lview Pro

To: [email protected], [email protected]
Subject: Security of Web registration of Lview Pro
From: Andrew Meredith <[email protected]>
Date: Thu, 01 Aug 1996 12:07:02 +0100
CC: [email protected]
Organization: Motorola ECID
Sender: [email protected]

Dear Sirs,

I was happy to find that you have put up an SSL form through which one
can register Lview Pro. I filled it in and pressed the button. My
browser then warned me that although the form was sent to me securely,
the data I was sending back was in the clear!

I had a look at the page source for:

  https://commerce.mindspring.com/www.lview.com/iregform.htm

and there is was:

<FORM METHOD="POST"
ACTION="http://www.std.com/Newbury/leonardo/cgi-bin/fp.exe"><P>
        ^^^^

Therefore the only thing protected by this "Secure Form" is the original
text of the form, rather than the credit card details. I know that:

    "If using an SSL Web browser such as Netscape or Microsoft
     Explorer, please click here to access a secure document."

doesn't actually *say* that your customers card details are secure, but
at first glance it sounded like it to me.

Whatever others may think about the rights and wrongs of it, my personal
policy is not to commit credit card details to open networks, unless
under strong encryption.

I look forward to your comments.

Andy Meredith

Prev by Date: Re: Cracking RC4/40 for massive wiretapps
Next by Date: Re: Jewell is the Militia Bomber!!!!
Prev by thread: Re: Cracking RC4/40 for massive wiretapps
Next by thread: Re: Jewell is the Militia Bomber!!!!
Index(es):
- Date
- Thread