1) problem description: Content provider realnames.com removes security certificate after padding with its advertising. After using the search engine, Metacrawler, one of the resultant links was through realnames.com. Clicking the link and following through to the "secure order" page resulted in no security certificate being given. Verification of the existance of a security certificate was proved by going directly to the vendor site. URL given by Metacrawler search: http://navigation.helper.realnames.com/framer/1/0/default.asp?realname=AutoT ech+Troubleshooting+Software&url=http%3A%2F%2Fwww%2Eautotechsoftware%2Ecom&f rameid=1&providerid=0&uid=17414734 Vendor URL: www.autotechsoftware.com Process taken: -------------- With IE5.01 SP2, a) use realnames.com content-filled url and verify existance of a security certificate and, if so, the level of encryption. b) use autotechsoftware.com and verify existance of security certificate and, if so, the level of encryption. Results: -------- a) Using the realnames url, the secure order page is not secure, no certificate is given, no "lock symbol" shown on the page. b) Using autotech.com, the secure site is accessed, a certificate is given, 128-bit encryption. Machine used: ------------- Microsoft Internet Explorer 5.01 SP2 on an NT4.0 SP6a workstation. Notes: ------ The first time this was tried, Cookies were set to DISABLED. The second time, Cookies were set to PROMPT. (No messages were displayed regarding storing cookies on the local pc) Second test: ------------ This was to see if the problem was reproducable on a different OS/browser. Second machine was a 98SE system with IE5.5 on a different network, cookies enabled. Result - same as above. Conclusion/Risk: ---------------- From the above, it looks like realnames is, exposing customers information including credit card #, as well as being able to record that information themselves which could be mis-used. Notification to vendor/content-provider: ---------------------------------------- Both realnames and the vendor were notified by e-mail on Monday 20th, a generic "thank you, we will get to this" reply was returned by realnames, the vendor saying that he would "look into it". Content-providing/this kind of issue is not my field and I have not been able to progress this in respect to seeing whether this is a mis-configuration on realnames part, or something common to all content providers, hence posting to this community in the hope that it is escalated/vendors check their systems. regards, Eddie Chandler TAOS Consultant NT4 MCSE, Win2k Pro MCP www.taos.com
This archive was generated by hypermail 2b30 : Sat Aug 25 2001 - 11:19:40 PDT