Re: Charity site payments - secure or not ?



Kev wrote:
I wanted to donate to a well established and reputable charity using a credit card. I'll not mention the name of the organisation for obvious reasons.

The problem seems to be that although there is a VeriSign logo on the pages, the connection in both IE6 and FireFox 1.5 seems to be a pure HTTP connection and not an HTTPS one. This is reflected in the address bar and there is no padlock.

You picked up on the first hint that the page isn't secure.


This is true on the page where you enter the amount and also on the page where you enter the actual card details.

Again, this is a big clue. Don't enter your information on these sites. The charity (or any organization) needs to ensure that the site is communicating to you that it's secure.


As far as I can tell, this means that the card details would be routed across the internet in an unencrypted format.

That's a perfect assumption.


I've raised this with the organisation who passed it onto the hosting company. This is what they had to say :

"There are multiple ways to donate as instructed on the page. You can send him an email back saying your web hosting company, XXXXXXXXX, does not host Verisign's online forms. That first page is on our servers (he mentions http://www.xxxxxxxxx.org/donate.html ), after that it goes to VeriSign. If he would place an amount in and continue, he would know. We can add some text that says something along these lines. Please let me know."

This arrangement does not make for good security. We security professionals are trying to raise Information Security awareness and when service providers come up with a solution that counters our efforts, we all lose.

The proper way to implement this solution is to have the information gathering page be secured -- the form itself, not just the submission of the form.

This sort of thing is really starting to be a problem. There are still banks who send out legitimate e-mails requesting users to click on a link. This is what makes phishers successful -- legitimate companies legitimizing a method of usability that the bad guy can then exploit.


If you enter an amount and click the Donate button it takes you to the payment page - which is not showing as HTTPS. Clicking on the VeriSign logo shows the following text :

"Encrypted Data Transmission This Web site can secure your private information using a VeriSign SSL Certificate. Information exchanged with any address beginning with https is encrypted using SSL before transmission. Identity Verified VERISIGN, INC. has been verified as the owner or operator of the Web site located at payments.verisign.com. Official records confirm VERISIGN, INC. as a valid business."

It sounds like they've got implementation problems.

What does anyone think about this ? You reasoning would be good to see as I intend to pass the comments back to the organisation.

Thanks



I think you've answered your own question. If you still want to donate to the company, do so in the old fashioned way -- pay by check via snail mail.

--
*Adam W. Montville, CISSP*
awm@xxxxxxxxxxxxxxxxxxxxx <mailto:awm@xxxxxxxxxxxxxxxxxxxxx>
*http://www.MontvilleArchives.net <http://www.MontvilleArchives.net>*

*ICQ: 271-685-874*
.



Relevant Pages

  • Re: HTTPS - a question about configuration...
    ... It could be that port 443 is already bound to the default web site in the ... identical to verisign but a third of the price, ... > the install instructions and it said it installed ... Outgoing mail is certified Virus Free. ...
    (microsoft.public.inetserver.iis.security)
  • data security
    ... in General terms if a web site is using https or Verisign ... Also how secure is using something like Verizon's broadband wireless ...
    (alt.computer.security)
  • Re: Generating keys in IIS
    ... you can look at Verisign ... Enable SSL for All Customers Who Interact with Your Web Site in ... Internet Information Services ... Search 'Certificate Server' at support.microsoft.com ...
    (microsoft.public.inetserver.iis.security)
  • OT: Verisign is to fix the DNS debacle
    ... breach of contract and giving Verisign until tomorrow evening to get rid of Site ... In response, Verisign says it'll shut down Site Finder but maintains its ... web site since Spet 15. ...
    (comp.os.vms)
  • Re: Bank login not using https
    ... is SSL secured with verisign... ... After I signed up I immediately changed my login details/ ... that https is important. ... websites don't need to be SSL-protected. ...
    (comp.security.misc)