[3137] in WWW Security List Archive
RE: Bloomingdales security?
daemon@ATHENA.MIT.EDU (John Lehmann (SSASyd))
Fri Oct 4 02:30:36 1996
From: "John Lehmann (SSASyd)" <LEHMANNJ@saatchi.com.au>
To: "'www-security'" <www-security@ns2.rutgers.edu>
Date: Fri, 04 Oct 96 14:04:00 S
Errors-To: owner-www-security@ns2.rutgers.edu
Anthony R. Plastino III wrote:
>At 08:20 AM 10/2/96 -0400, Chad Schieken wrote:
>>
>>
>>
>>>
>>> On Tue, 1 Oct 1996, John Lehmann (SSASyd) wrote:
>>>
>>> > Reassured by the friendly "your Order Form is encrypted using D.E.S
>and
>
>>> > M.D.5 protocols" I started tapping in my credit card details and
poised
>>> > with my finger (well - finger substitue, really) over the submit
button
>
>>>
>>> Well, to be sure they aren't lying, you must examine the HTML and
>>> the action attribute on the <form> element. That is the point
>>> where they could swithc to https: and hence be telling the truth.
>>> Dave Morris
>>
>>Well I checked and how does this look:
>><FORM METHOD=POST ACTION="/scripts/order.exe">
>
>
>even if this post action was able to encrypt the number, you are sending
it
>in the clear to the executable on the server anyway, so where is the
>security? The object of securing http is to encrypt all transactions
>between host/client. They should really fix their page.
>
It's fixed, in a manner of speaking... the oreder section has been
replaced by the notice:
"Soon, we will be able to accept your order electronically
using a completely secure transaction system. We are putting the
finishing touches on this system, and it will be ready shortly."
I suppose the DES and MD5 protocols weren't good enough ;)
--
John Lehmann
