[3140] in WWW Security List Archive
Re: Bloomingdales security?
daemon@ATHENA.MIT.EDU (David W. Morris)
Fri Oct 4 16:02:41 1996
Date: Fri, 4 Oct 1996 10:25:09 -0700 (PDT)
From: "David W. Morris" <dwm@xpasc.com>
To: "Anthony R. Plastino III" <tony.plastino@CyberSAFE.COM>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <2.2.32.19961003152947.00a7d260@pop-srvr>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 3 Oct 1996, Anthony R. Plastino III wrote:
> >Well I checked and how does this look:
> ><FORM METHOD=POST ACTION="/scripts/order.exe">
>
>
> even if this post action was able to encrypt the number, you are sending it
> in the clear to the executable on the server anyway, so where is the
> security? The object of securing http is to encrypt all transactions
> between host/client. They should really fix their page.
>
>
>
>
> Anthony R. Plastino III - Systems Administrator
> CyberSafe Corporation - tony.plastino@CyberSafe.COM
> 1605 NW Sammamish Rd. - http://www.cybersafe.com
> Issaquah, WA 98027 -
> =====================================================
> Mine are _not_ the opinions of my employer.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I also hope they don't pay for your knowledge about how security works
with HTTPS ans SHTTP. As someone else has already noted, if the
form action had been, https:// ... the data transfer would have been
encrypted. Which was why I originally pointed out that we needed to
know the actual FORM action URL to know if bloomingdales was lying.
They were.
