Re: FW: aa.com not encrypting customer transaction data (KMM508728C0KM)

From: AA Webmaster (webmaster@aa.com)
Date: 09/18/01 

Message-Id: <200109181235.HAA23421@aa-mail.im.aa.com>
Date: Tue, 18 Sep 2001 07:41:33 -0500
To: Devi Batlanki <dbatlanki@XCEED.com>, Chris Fairbourne <chris.fairbourne@camsystems.com>, <bugtraq@securityfocus.com>
Subject: Re: FW: aa.com not encrypting customer transaction data  (KMM508728C0KM)
From: AA Webmaster <webmaster@aa.com>

Hello Devi and Chris,

Thank you for your interest in American Airlines web site and the
security we use to transfer confidential customer information.

Most browsers indicate that a page is secure by one or more of the
following methods:

- A picture of a key on the status bar. The key may appear to be broken
when the page is not secure.
- A picture of a padlock on the status bar. If the padlock is closed,
the page is secure. If the padlock is open, it is not secure.
- A blue line across the top of the secured page.

** Although all confidential information sent and received at our site
is transferred using Secure Socket Layer (SSL) protocol, your browser
will not display a key, padlock or blue line to indicate that the page
is secure. **

Our site will access secure servers for user confidentiality only when
sensitive information is being transmitted such as site login, user
profile updates, travel planning payment, AAdvantage account
transactions, etc. And, since our site uses frames to display
information, only the frame content which contains confidential
information is secure. Most browsers are unable to detect individual
frames which contain this information and is the reason your browser is
unable to detect this secure transfer of information.

To prevent unauthorized access, maintain data accuracy, and ensure the
correct use of information, we have put in place appropriate physical,
electronic, and managerial procedures to safeguard and secure the
information we collect online.
                         
We also participate in the Council of Better Business Bureaus'
BBBOnline® Privacy Program, and comply with all the BBBOnline privacy
standards. Further information about this program is available at
http://www.bbbonline.org.

If you wish to automatically be notified when entering or leaving a
secure server at our site, you may modify your browser settings to alert
you when these actions occur. Please contact your Internet Service
Provider or browser manufacturer if you need assistance.

Sincerely,
Melissa Till
AA.com Webmaster Team

Original Message Follows:
-------------------------

-----Original Message-----
From: Dwight Mann
Sent: Monday, September 17, 2001 3:59 PM
To: DFW Technology
Subject: FW: aa.com not encrypting customer transaction data

-----Original Message-----
From: Chris Fairbourne [mailto:chris.fairbourne@camsystems.com]
Sent: Monday, September 17, 2001 12:39 PM
To: 'bugtraq@securityfocus.com'
Subject: aa.com not encrypting customer transaction data

Looks like aa.com (American Airlines) is NOT encrypting customer data
for
purchasing e-tickets. Hopefully this isn't still the case by the time
this
posts. This hold true for both Advantage login and non-members as well.
At
no time did I get a redirect to an SSL server for my session.

Taking a peek at the "Passenger Details" page source, no where do you
find
"https" or ":443", hmm. Next I make a phony submission and low and
behold
this is what I grabbed: " f o r m % C I _ C r e d i t C a r d T o U s e
_ C
a
 r d N u m b e r " v a l u e = " 4 3 2 3 5 0 1 9 8 3 5 1 9 9 9 9 "

I've made serveral phone calls to aa.com and generated a few e-mail.
I can't convince them I'm wrong, so I bring it to this forum.

 

Chris Fairbourne
pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x371E73BB
fingerprint: 7AE3DCC82215697A0C3F61C4968FCFDB371E73BB

Relevant Pages

  • Re: What is the most secure web browser,
    ... > the most secure graphical browsers. ... > security of the browser can be defined within the ... > browser itself or by restricting the sites the users ... > D) Disable certain bugs by event correlation (I think ...
    (Security-Basics)
  • What is the most secure web browser,
    ... the most secure “graphical” browsers. ... browser itself or by restricting the sites the users ... The security community has created ... >> obviously not the secure web browser of choice. ...
    (Security-Basics)
  • Re: Browser hijacker?
    ... >create a log file that can be sent to a forum that can ... >> appears to have downlaoded a 'secure content browser'. ... >> from the tools dropdown menu? ...
    (microsoft.public.windows.inetexplorer.ie6.setup)
  • Close browser window & open another
    ... Windows Integrated Security is being used. ... When a MIS Tech is at another employees pc, and they log into the secure ... Do I need to have the browser close, and open up another browser window? ...
    (microsoft.public.vsnet.general)
  • Re: Fax to Email
    ... I've worked with rightfax and it's a pain in the ass. ... confidentiality. ... cheap and very secure. ... notify us and delete it and any attachments. ...
    (Security-Basics)