[3124] in WWW Security List Archive
Re: Bloomingdales security?
daemon@ATHENA.MIT.EDU (David W. Morris)
Tue Oct 1 17:38:13 1996
Date: Tue, 1 Oct 1996 12:33:25 -0700 (PDT)
From: "David W. Morris" <dwm@xpasc.com>
To: "John Lehmann (SSASyd)" <LEHMANNJ@saatchi.com.au>
cc: "'www-security'" <www-security@ns2.rutgers.edu>
In-Reply-To: <3250671A@smtp.saatchi.com.au>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 1 Oct 1996, John Lehmann (SSASyd) wrote:
> Reassured by the friendly "your Order Form is encrypted using D.E.S and
> M.D.5 protocols" I started tapping in my credit card details and poised
> with my finger (well - finger substitue, really) over the submit button
Well, to be sure they aren't lying, you must examine the HTML and
the action attribute on the <form> element. That is the point
where they could swithc to https: and hence be telling the truth.
I encountered similar lies and because I had to complete
the transaction proved w/o a doubt that www.software.net(com?)
has similar statements which may not be true. There WERE NOT true
when I made the purchase. Later I tried from outside of the
firewall and found they had activated security. I think they
are looking at the UA field and other information and sometimes
switching to https: when they think it will work.
**BUT** that is no excuse for not removing the
this is secure from the page when it isn't.
Dave Morris
