When you go to www.time.com and click on "Order This Special Issue" (over the picture of the Time cover showing the second crash into the World Trade center), you are taken to: https://www.pathfinder.com/subs/books/forms/td/tdspecialed01.html The problem is that while the page https://www.pathfinder.com/subs/books/forms/td/tdspecialed01.html itself is secure, as noted by the "https" at the beginning of the URL, when you click the "Submit Order" button, the html in that page reading: <FORM METHOD="post" action="http://cgi.pathfinder.com/cgi-bin/magsubs/cc/booksubs/tdspecialed01"> sends it to a non-secure server, as noted by the "http:" instead of the "https:" in the preceding URL. This causes the credit card number to cross the internet in un-encrypted form. The browsers I've used on this page (Netscape 4.08 on NT, NS 4.74 on Linux and Mozilla 0.9.5 on Linux) all popup a window warning the user that this will happen. I didn't really believe it, so I started up ethereal, then went ahead. Ethereal showed that, indeed, the credit card number did go across in the clear. [That credit card account has been closed.;) ] I notified via email , then phone, (to help.singleat_private and 1.800.274.6800); the phone folks were not clue-full, but referred me to another number, where they understood my complaint, and told me others had complained of the popup message from the browsers, but that their programmers swore up and down that the connection was secure. I explained the problem in some detail to that person and sent follow-up email. So far, no response other than auto-responder. These coversations occurred yesterday morning. This should be easy to fix, but so far, no response and the page still has this flaw. - Bob Niederman Fight UCITA! http://www.4cite.org, Free Dmitry Skylarov. Repeal DMCA. http://freskylarov.org http://eff.org
This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 13:53:22 PDT