[3123] in WWW Security List Archive
Re: Bloomingdales security?
daemon@ATHENA.MIT.EDU (Mike Bremford)
Tue Oct 1 15:23:45 1996
Date: Tue, 1 Oct 1996 18:15:23 +0100
From: Mike.Bremford@mail.bl.uk (Mike Bremford)
To: "'www-security'" <www-security@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
I'd go with that. There is no security at this site whatsoever - if
they're running an HTTP/S server it doesn't live on port 443.
I hope they're smart enough not to deliver my new 3 piece suit to Mr.
Bob Test of London...
Cheers...
Mike "If these are munitions, I hope they never go to war.." Bremford
______________________________ Reply Separator _________________________________
Subject: Bloomingdales security?
Author: "John Lehmann (SSASyd)" <LEHMANNJ@saatchi.com.au> at Internet
Date: 01/10/96 10:33
Well, the bloomingdales site is now online at www.bloomingdales.com
Always interested to see how people are implementing shopping on the web,
I took out my credit card and my modem and nosed around until I found a
nice turquoise "Charisma" towel.
Reassured by the friendly "your Order Form is encrypted using D.E.S and
M.D.5 protocols" I started tapping in my credit card details and poised
with my finger (well - finger substitue, really) over the submit button
(about to increase the foreign debt by $US19.95) until I noticed that the
little key at the bottom left hand corner of the netscape window was
broken. Wondering a little, I had a look at the 'frame info' and found
it a little odd:
"File MIME Type: Currently Unknown
Source: Not cached
...
Security: Status unknown"
Looking back over my trail I decided that there had been no encryption to
this point. (Everything was http:)
I decided to try pretending to be a web-browser, though I'm not very good
at it, and can never remember what headers to supply. At any rate, it
returned the headers:
"Server: Microsoft-Internet-Information-Server/1.0
Content-Type: application/octet-stream
did not encodeContent-type: text/html"
And a bunch of text/html.
Can anyone else find any security at this site? Anyone care to take the
experiment all the way and plug in their credit-card details? Did I miss
something or is this one of the most hopeful examples of
'security-by-assertion' I have ever seen?
--
John 'perhaps it's because I live in australia and cryptography is a
munition' Lehmann
