- From: Jon Perkin <jrp@icl.net>
- Date: Mon, 12 May 1997 11:21:51 +0100
- To: www-talk@w3.org
- Cc: webmaster@jasc.com
Dear all, I hope you can help me convince a webmaster that he has a problem. Some time ago, I noticed that the 'Secure' Order Form on the JASC Inc. web site (http://www.jasc.com/) has a major security problem. Although the form is accessed via HTTPS, its ACTION is an HTTP server, and therefore people's credit card details are sent unencrypted across the net. The site even instructed customers to ignore the warning message generated by the browser! I contacted the webmaster (webmaster@jasc.com) to inform him of the problem, but was unable to convince him despite a lengthy exchange of emails and a detailed explanation of the problem. The webmaster kept insisting that the data was secure AFTER it reached them, and couldn't seem to appreciate that the problem was before the form data reached their HTTP server. I have just noticed that JASC have redesigned their site, including the ordering mechanism, since all this happened. However, the problem still remains. Perhaps if a few members of this distribution list who have appropriate credentials would also explain the problem to the webmaster, we could prevent further innocent web users from being fooled into submitting their credit card details via unencrypted HTTP. Regards, Jon Perkin. -- JON PERKIN Internet Site Architect Multimedia Solutions ICL Email: jrp@icl.net Web: http://www.iclnet.co.uk/
Received on Monday, 12 May 1997 08:51:35 UTC