Re: secure without the https???

From: sponge (mtubi@python.net)
Date: 04/06/03 

From: mtubi@python.net (sponge)
Date: Sun, 06 Apr 2003 03:19:36 GMT

On Sat, 5 Apr 2003 15:15:00 +0000 (UTC), "Simon" <sjh@yabadabado.com>
wrote:

>Hi.
>
>Was confused by a site which proposed to offer secure credit card
>transactions.
>
>The page containing the form does not begin https (it merely displayed the
>company's main address beginning http) and the padlock icon (using IE6) does
>not appear - however, when I clicked on the link to retrieve the form page
>the browser showed that I was accessing a secure location (https and padlock
>icon) and this was again displayed when I clicked on the SEND button of the
>form.
>
>So, is this secure or not? In my experience the page I was entering my
>details on always displayed the secure features.
>
>Anyone help me out on this.
>
>Many thanks.

I'm really tempted to go into a long diatribe why you should not have
done this, especially in Internet Explorer, and if you want I will.

More to your point, it's possible you did not see the SSL page after
placing your order because the order page redirected to a plain HTTP
page. Most of these are 'Thank you for buying from us' pages. As long
as the 'thank you' page did not contain any sensitive info, like your
name or credit card number, you're probably okay. If not, then it was
a severe security breach.

Secure pages (SSL) presents something of a false sense of security; it
will do absolutely nothing to protect you against spyware or the like,
who'se purpose is to grab info *BEFORE* it gets encrypted and sent out
over the Internet. SSL only gives you protection against sensitive
data being read in transit. It's still useful for some things, but the
move by hackers and spyware makers towards placing malicious code on
consumer's computers mostly nullifies the usefulness of SSL.

Sponge
Sponge's Anti-Spyware Page
www.geocities.com/yosponge