JASC Inc. 'Secure' Order Form

Dear all,

I hope you can help me convince a webmaster that he has a problem.

Some time ago, I noticed that the 'Secure' Order Form on the JASC
Inc. web site (http://www.jasc.com/) has a major security problem.
Although the form is accessed via HTTPS, its ACTION is an HTTP
server, and therefore people's credit card details are sent
unencrypted across the net. The site even instructed customers to
ignore the warning message generated by the browser!

I contacted the webmaster (webmaster@jasc.com) to inform him of the
problem, but was unable to convince him despite a lengthy exchange
of emails and a detailed explanation of the problem. The webmaster
kept insisting that the data was secure AFTER it reached them, and
couldn't seem to appreciate that the problem was before the form
data reached their HTTP server.

I have just noticed that JASC have redesigned their site, including
the ordering mechanism, since all this happened. However, the
problem still remains.

Perhaps if a few members of this distribution list who have
appropriate credentials would also explain the problem to the
webmaster, we could prevent further innocent web users from being
fooled into submitting their credit card details via unencrypted

Jon Perkin.

JON PERKIN     Internet Site Architect     Multimedia Solutions      ICL
Email: jrp@icl.net                         Web: http://www.iclnet.co.uk/

Received on Monday, 12 May 1997 08:51:35 UTC