[3139] in WWW Security List Archive
Re: Bloomingdales security?
daemon@ATHENA.MIT.EDU (Ben Camp)
Fri Oct 4 16:02:40 1996
Date: Fri, 04 Oct 1996 12:54:46 -0500
To: gary.f.ellison@att.com,
"Anthony R. Plastino III" <tony.plastino@CyberSAFE.COM>
From: Ben Camp <benc@geocel.com>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Who buys from Bloomingdales on the Web anyway?
At 02:22 PM 10/3/96 -0400, Gary F. Ellison wrote:
>>>>>> "Anthony" == Anthony R Plastino <tony.plastino@CyberSAFE.COM> writes:
>
>Anthony> At 08:20 AM 10/2/96 -0400, Chad Schieken wrote:
>>>
>>>> On Tue, 1 Oct 1996, John Lehmann (SSASyd) wrote:
>>>>
>>>> > Reassured by the friendly "your Order Form is encrypted using
>>>> D.E.S and > M.D.5 protocols" I started tapping in my credit card
>>>> details and poised > with my finger (well - finger substitue,
>>>> really) over the submit button
>>>>
>>>> Well, to be sure they aren't lying, you must examine the HTML and
>>>> the action attribute on the <form> element. That is the point
>>>> where they could swithc to https: and hence be telling the truth.
>>>> Dave Morris
>>> Well I checked and how does this look: <FORM METHOD=POST
>>> ACTION="/scripts/order.exe">
>
>
>Anthony> even if this post action was able to encrypt the number, you
>Anthony> are sending it in the clear to the executable on the server
>Anthony> anyway, so where is the security?
>
>bzzzt. if the markup for the form tag was
>
> <form method=post action="https://www.bloomingdales.com/scripts/order.exe">
>
>the data would be encrypted in transit to the http server.
>
>
>
>Anthony> Anthony R. Plastino III - Systems Administrator CyberSafe
>Anthony> Corporation - tony.plastino@CyberSafe.COM 1605 NW Sammamish
>Anthony> Rd. - http://www.cybersafe.com Issaquah, WA 98027 -
>Anthony> ===================================================== Mine
>Anthony> are _not_ the opinions of my employer.
>
>
>
>
>--
>mailto:gary.f.ellison@att.com http://www.att.com/homes/gary_ellison/
>"... human programmers aren't Turing machines -- and the less their
> programming systems require Turing machine techniques
> the better." - Alan Kay
>
>
>
>
