[3135] in WWW Security List Archive
Re: Bloomingdales security?
daemon@ATHENA.MIT.EDU (Gary F. Ellison)
Thu Oct 3 16:40:58 1996
Date: Thu, 3 Oct 1996 14:22:58 -0400
From: "Gary F. Ellison" <gary.f.ellison@att.com>
To: "Anthony R. Plastino III" <tony.plastino@CyberSAFE.COM>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <2.2.32.19961003152947.00a7d260@pop-srvr>
Reply-To: gary.f.ellison@att.com
Errors-To: owner-www-security@ns2.rutgers.edu
>>>>> "Anthony" == Anthony R Plastino <tony.plastino@CyberSAFE.COM> writes:
Anthony> At 08:20 AM 10/2/96 -0400, Chad Schieken wrote:
>>
>>> On Tue, 1 Oct 1996, John Lehmann (SSASyd) wrote:
>>>
>>> > Reassured by the friendly "your Order Form is encrypted using
>>> D.E.S and > M.D.5 protocols" I started tapping in my credit card
>>> details and poised > with my finger (well - finger substitue,
>>> really) over the submit button
>>>
>>> Well, to be sure they aren't lying, you must examine the HTML and
>>> the action attribute on the <form> element. That is the point
>>> where they could swithc to https: and hence be telling the truth.
>>> Dave Morris
>> Well I checked and how does this look: <FORM METHOD=POST
>> ACTION="/scripts/order.exe">
Anthony> even if this post action was able to encrypt the number, you
Anthony> are sending it in the clear to the executable on the server
Anthony> anyway, so where is the security?
bzzzt. if the markup for the form tag was
<form method=post action="https://www.bloomingdales.com/scripts/order.exe">
the data would be encrypted in transit to the http server.
Anthony> Anthony R. Plastino III - Systems Administrator CyberSafe
Anthony> Corporation - tony.plastino@CyberSafe.COM 1605 NW Sammamish
Anthony> Rd. - http://www.cybersafe.com Issaquah, WA 98027 -
Anthony> ===================================================== Mine
Anthony> are _not_ the opinions of my employer.
--
mailto:gary.f.ellison@att.com http://www.att.com/homes/gary_ellison/
"... human programmers aren't Turing machines -- and the less their
programming systems require Turing machine techniques
the better." - Alan Kay
