[3133] in WWW Security List Archive
Re: Bloomingdales security?
daemon@ATHENA.MIT.EDU (Anthony R. Plastino III)
Thu Oct 3 14:16:35 1996
Date: Thu, 03 Oct 1996 08:29:47 -0700
To: www-security@ns2.rutgers.edu
From: "Anthony R. Plastino III" <tony.plastino@CyberSAFE.COM>
Errors-To: owner-www-security@ns2.rutgers.edu
At 08:20 AM 10/2/96 -0400, Chad Schieken wrote:
>
>
>
>>
>> On Tue, 1 Oct 1996, John Lehmann (SSASyd) wrote:
>>
>> > Reassured by the friendly "your Order Form is encrypted using D.E.S and
>> > M.D.5 protocols" I started tapping in my credit card details and poised
>> > with my finger (well - finger substitue, really) over the submit button
>>
>> Well, to be sure they aren't lying, you must examine the HTML and
>> the action attribute on the <form> element. That is the point
>> where they could swithc to https: and hence be telling the truth.
>> Dave Morris
>
>Well I checked and how does this look:
><FORM METHOD=POST ACTION="/scripts/order.exe">
even if this post action was able to encrypt the number, you are sending it
in the clear to the executable on the server anyway, so where is the
security? The object of securing http is to encrypt all transactions
between host/client. They should really fix their page.
Anthony R. Plastino III - Systems Administrator
CyberSafe Corporation - tony.plastino@CyberSafe.COM
1605 NW Sammamish Rd. - http://www.cybersafe.com
Issaquah, WA 98027 -
=====================================================
Mine are _not_ the opinions of my employer.
