[plug] Is this secure
Grahame Bowland
grahame at ucs.uwa.edu.au
Fri Dec 14 10:13:29 WST 2001
On Fri, 2001-12-14 at 10:09, skribe wrote:
> Could someone who is more proficient at javascript and web security please
> have a look at this and tell me if the form is susceptile to sniffing. These
> guys are friends of mine and up until a couple of weeks ago they were passing
> credit card numbers via plain text. I hassled them a few times and
> eventually they convinced the web company that created their page (they're
> not web code literate) to change it. This page is the result:
>
> http://www.infusioncoffee.com/html/orders.htm
Considering that the form isn't served out on HTTPS and the form tag
appears to be:
<form METHOD="POST" action="../_vti_bin/shtml.dll/html/orders.htm"
webbot-action="--WEBBOT-SELF--">
is a relative URL to another non-https URL, I'd say it's probably not
terribly secure. Your friends should really check the laws; I remember
we looked at this for the UCC and it turned out that you can commit
credit card fraud _without_ actaully using credit card numbers. It's
illegal to handle them in certain ways.
(IANAL)
Cheers,
Grahame
--
Grahame Bowland Email: grahame at ucs.uwa.edu.au
University Communications Services Phone: +61 8 9380 1175
The University of Western Australia Fax: +61 8 9380 1109
CRICOS: 00126G
More information about the plug
mailing list