[3121] in WWW Security List Archive
Bloomingdales security?
daemon@ATHENA.MIT.EDU (John Lehmann (SSASyd))
Mon Sep 30 23:06:30 1996
From: "John Lehmann (SSASyd)" <LEHMANNJ@saatchi.com.au>
To: "'www-security'" <www-security@ns2.rutgers.edu>
Date: Tue, 01 Oct 96 10:33:00 S
Errors-To: owner-www-security@ns2.rutgers.edu
Well, the bloomingdales site is now online at www.bloomingdales.com
Always interested to see how people are implementing shopping on the web,
I took out my credit card and my modem and nosed around until I found a
nice turquoise "Charisma" towel.
Reassured by the friendly "your Order Form is encrypted using D.E.S and
M.D.5 protocols" I started tapping in my credit card details and poised
with my finger (well - finger substitue, really) over the submit button
(about to increase the foreign debt by $US19.95) until I noticed that the
little key at the bottom left hand corner of the netscape window was
broken. Wondering a little, I had a look at the 'frame info' and found
it a little odd:
"File MIME Type: Currently Unknown
Source: Not cached
...
Security: Status unknown"
Looking back over my trail I decided that there had been no encryption to
this point. (Everything was http:)
I decided to try pretending to be a web-browser, though I'm not very good
at it, and can never remember what headers to supply. At any rate, it
returned the headers:
"Server: Microsoft-Internet-Information-Server/1.0
Content-Type: application/octet-stream
did not encodeContent-type: text/html"
And a bunch of text/html.
Can anyone else find any security at this site? Anyone care to take the
experiment all the way and plug in their credit-card details? Did I miss
something or is this one of the most hopeful examples of
'security-by-assertion' I have ever seen?
--
John 'perhaps it's because I live in australia and cryptography is a
munition' Lehmann
