security on the web from Sarra Mossoff on 1997-05-12 (www-talk@w3.org from May to June 1997)

From: Sarra Mossoff <sarra@smallworld.com>
Date: Mon, 12 May 1997 11:59:10 -0400
To: www-talk@w3.org
Message-Id: <v03102805af9cea5be60d@[207.87.104.26]>
Jon Perkin recently wrote:

>Some time ago, I noticed that the 'Secure' Order Form on the JASC
>Inc. web site (http://www.jasc.com/) has a major security problem.
>Although the form is accessed via HTTPS, its ACTION is an HTTP
>server, and therefore people's credit card details are sent
>unencrypted across the net.

This may be a problem for this particular site, as they tell visitors that
any information is being sent safely.  But I have a more general query for
anyone who cares to respond.

It is my understanding that concerns about security on the web are much
exaggerated.  Think of all the people who feel comfortable giving their
credit card number over the phone -- even cordless phones.  This method of
transmission can be intercepted by just about anyone willing to invest a
small amount of money in the necessary technology.

Intercepting a credit card number that has been sent over the phone lines
via a web connection is, in contrast, nearly impossible.  You'd need a
wealth of computer knowledge and very expensive technology to get and read
the data packets, and then there's the issue of getting just the right data
packets -- the ones containing credit card numbers.  It seems almost silly
when you think that all anyone really interested in getting a credit card
number needs to do is just go through the trash behind a restaurant or
department store.

Recently, IBM has been running a television ad where a yuppie's friends are
giving him a really hard time about buying golf clubs off the web because
of the risk of credit card fraud.  IBM of course, then says it can make
internet commerce safe through encryption.

I see a "scare tactic" -- the vast majority of people are afraid of
internet commerce, and ads like this certainly don't help.  I think
educated computer folks should do what we can to let people know that
internet commerce is as safe as anything other kind of purchasing, and
maybe safer than giving credit card numbers over the phone (something most
people don't think twice about).  Internet commerce is good for the Web; it
will bring more people to the medium, and allow people to make a profit
through the medium (something people are still struggling with).

I'd be interested in other people's comments.

Thanks!
Sarra

-------------------------------------------------------
Sarra Mossoff                          171 West 85th Street
sarra@smallworld.com             New York, NY 10024
Voice: (212) 501-9800           Fax: (212) 501-9816

                 Small World Software
           Shrink The World, Expand Your Mind
               http://www.smallworld.com
-------------------------------------------------------
Received on Monday, 12 May 1997 12:01:00 UTC