[plug] Is this secure

Steve Grasso steveg at calm.wa.gov.au
Fri Dec 14 10:51:31 WST 2001


Hi people,

On Friday 14 December 2001 10:13, Grahame Bowland wrote:
> On Fri, 2001-12-14 at 10:09, skribe wrote:
> > Could someone who is more proficient at javascript and web security
> > please have a look at this and tell me if the form is susceptile to
> > sniffing.  These guys are friends of mine and up until a couple of weeks
> > ago they were passing credit card numbers via plain text.  I hassled them
> > a few times and eventually they convinced the web company that created
> > their page (they're not web code literate) to change it.  This page is
> > the result:
> >
> > http://www.infusioncoffee.com/html/orders.htm
>
> Considering that the form isn't served out on HTTPS and the form tag
> appears to be:
>
> <form METHOD="POST" action="../_vti_bin/shtml.dll/html/orders.htm"
> webbot-action="--WEBBOT-SELF--">
>
> is a relative URL to another non-https URL, I'd say it's probably not
> terribly secure. 

I agree.

>Your friends should really check the laws; I remember
> we looked at this for the UCC and it turned out that you can commit
> credit card fraud _without_ actaully using credit card numbers. It's
> illegal to handle them in certain ways.

IMO this extends beyond just taking orders via SSL, but also how the CC 
details are stored and accessed. For example, I'd be wary of CC details 
stored in plain text _anywhere_ on a server, internet connected or not --  
it's fairly trivial to implement strong encryption. Also, I'd want to make 
sure only authorised personnel had access to CC details, and that I could 
prove it if needed via some kind of audit trail.

IANAL either!

FWIW, even though I'm rather fond of coffee, I wouldn't order anything online 
from them as the site stands.

Regards,
Steve



More information about the plug mailing list