LISTSERV - HP3000-L Archives

HP3000-L Archives

April 2000, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L April 2000, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	OT: Watch Out For "Secure" Web Sites
From:	Bruce Toback <[log in to unmask]>
Reply To:	Bruce Toback <[log in to unmask]>
Date:	Wed, 5 Apr 2000 15:42:11 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (65 lines)

Hi all,

Something for users of Web commerce solutions, and especially for
implementers:

One of my kids plays chess competitively, which means that I need to sign
him up for tournaments with the tournament director (TD). There's an
entry fee involved. This used to be done over the phone or in person,
with the TD taking the information down by hand, running the credit card
if necessary, and then entering the registration information into his
computer. Since the usual circumstance was that the last hundred entrants
all registered on the last day, this was a bit of work.

Last week, the TD proudly announced that he had a secure web site, and
would we please use that to register because it would save him a lot of
time. I brought up his web site in a browser, and sure enough, that page
was secure. I entered the information and pressed Submit.

This, I found out, causes several things to happen.

1. The server gets the information and runs the credit card
   automatically. (Presumably, the service provider takes
   a cut, then sends the rest of the money to the client --
   in this case, the TD.)

2. The server sends an unencrypted email containing all the
   registration details, including the credit card number,
   to the TD.

3. The TD sends the registrant an unencrypted email acknowledging
   the entry, echoing the credit card number and thanking the
   registrant for using the secure web site to register.

Obviously, the most security was applied in the place that security is
least needed, the milliseconds-long point-to-point communication between
the brower and server. No security at all was applied to anyplace that
the credit card number is stored, which now includes at least the TD's
laptop, and probably a mail server somewhere as well -- not to mention
the backup tapes for that server.

Take-home lessons:

1. Never trust a secure web site unless you know it was set up by
   a competent individual and that the entire site is secure, not
   just the web server.

2. Never set up a secure web site whose sole function is to gather
   data for transmission to an unsecured environment. Even if the
   merchant/user demands it.

"Storefront-in-a-box" does not equal "e-commerce site."

-- Bruce


--------------------------------------------------------------------------
Bruce Toback    Tel: (602) 996-8601| My candle burns at both ends;
OPT, Inc.            (800) 858-4507| It will not last the night;
11801 N. Tatum Blvd. Ste. 142      | But ah, my foes, and oh, my friends -
Phoenix AZ 85028                   | It gives a lovely light.
btoback AT optc.com                |     -- Edna St. Vincent Millay
Mail sent to [log in to unmask] will be inspected for a
fee of US$250. Mailing to said address constitutes agreement to
pay, including collection costs.

ATOM RSS1 RSS2

RAVEN.UTC.EDU