[3131] in WWW Security List Archive
Re: Bloomingdales security?
daemon@ATHENA.MIT.EDU (David W. Morris)
Wed Oct 2 14:56:53 1996
Date: Wed, 2 Oct 1996 09:44:13 -0700 (PDT)
From: "David W. Morris" <dwm@xpasc.com>
To: Chad Schieken <cschieke@advsys.com>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199610021218.IAA10639@sting.advsys.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 2 Oct 1996, Chad Schieken wrote:
> > On Tue, 1 Oct 1996, John Lehmann (SSASyd) wrote:
> >
> > > Reassured by the friendly "your Order Form is encrypted using D.E.S and
> > > M.D.5 protocols" I started tapping in my credit card details and poised
> > > with my finger (well - finger substitue, really) over the submit button
> >
> > Well, to be sure they aren't lying, you must examine the HTML and
> > the action attribute on the <form> element. That is the point
> > where they could swithc to https: and hence be telling the truth.
> > Dave Morris
>
> Well I checked and how does this look:
> <FORM METHOD=POST ACTION="/scripts/order.exe">
Like you can't trust bloomingdales ... with all this stimualation I decided
to look myself and run some traces while I was looking (unrelated to
security but I'll never visit them again .. I hate all the animation
and the performance over my 2B ISDN hook-up was awful -- I wonder who
they think is going to use this service). Then for grins, I asked
Netscape (2.02) for document info. Without a doubt, there is no
security.
Dave Morris
