1996-08-01 - Security of Web registration of Lview Pro

Header Data

From: Andrew Meredith <meredith@ecid.cig.mot.com>
To: leonardo@lview.com
Message Hash: 17e0aeda8931bb18de868dd72cc83d36f0a04d0284003c6236a43d3f47b3d7ae
Message ID: <32008FD6.9A5@ecid.cig.mot.com>
Reply To: N/A
UTC Datetime: 1996-08-01 13:51:29 UTC
Raw Date: Thu, 1 Aug 1996 21:51:29 +0800

Raw message

From: Andrew Meredith <meredith@ecid.cig.mot.com>
Date: Thu, 1 Aug 1996 21:51:29 +0800
To: leonardo@lview.com
Subject: Security of Web registration of Lview Pro
Message-ID: <32008FD6.9A5@ecid.cig.mot.com>
MIME-Version: 1.0
Content-Type: text/plain


Dear Sirs,

I was happy to find that you have put up an SSL form through which one
can register Lview Pro. I filled it in and pressed the button. My
browser then warned me that although the form was sent to me securely,
the data I was sending back was in the clear!

I had a look at the page source for:

  https://commerce.mindspring.com/www.lview.com/iregform.htm

and there is was:

<FORM METHOD="POST"
ACTION="http://www.std.com/Newbury/leonardo/cgi-bin/fp.exe"><P>
        ^^^^

Therefore the only thing protected by this "Secure Form" is the original
text of the form, rather than the credit card details. I know that:

    "If using an SSL Web browser such as Netscape or Microsoft
     Explorer, please click here to access a secure document."

doesn't actually *say* that your customers card details are secure, but
at first glance it sounded like it to me.

Whatever others may think about the rights and wrongs of it, my personal
policy is not to commit credit card details to open networks, unless
under strong encryption.

I look forward to your comments.

Andy Meredith





Thread