Jamie,

let him get on with it, while you mind your own business.

dont get me wrong, but you would be amazed at the amount of sites that do this.

unless you have time on your hands and want to get involved in this sort of thing, let him get on with it.

Shak

"unless you have time on your hands"

absolutely not ;-)

will ignore then. hopefully he'll dig his own grave before too long.

cheers shak

will ignore then. hopefully he'll dig his own grave before too long.

exactly :)

Shak

Forgive my ignorance but if the form is on a https and his formmail used is called through the https: then is that not secure?

The browser procedure is all secure, but the 'end product' is simply a common-or-garden text email that gets sent 'in the open', with none of the gathered data encrypted or protected in any way.

Bit like hiring a security van full of guards, driving your sack-of-cash all the way to the bank in this van, then simply dumping your deposit (sic) on the street outside the bank.

confession - we did this for our first 2 years.

setting up our secure server was easy compared to establishing our secure connection to it (in order to download orders).

Yeah, storing credit card info on a server is a challenge when you don't have the server in your building.

I built a small ecommerce system from the ground up a few years ago (php/mysql, great learning experience) and found that it was very difficult to securely store credit cards on the remote server. Encryption is easy, but you have to put the key on the server to encrypt/decrypt. That's insecure.

I settled on encrypting the whole order form with PGP and emailing it to the person who takes the orders. No credit card info stored in the database (though I do store the encrypted order forms.) No private keys stored on he server.

Anyway, that's not what this thread is about, is it. It's about ratting out your competitor.

If you raise alarms, you'd probably be doing them a favor as they'd be forced to clean it up before anything disastrous occurs. I agree with everyone here, if you wish them ill, let it bite them.

In general, I'm uncomfortable with the whole ratting out thing. What comes around goes around. That's just me though.

You know, everyone gets all riled about sending CC info by email, but I have never been able to find an authenticated case of CC info being stole that way - when you look at the cases where CC info has been stolen, its always been from big servers that store the stuff, the so-called secure sites. It always seems crazy to me that we get all frightened about giving our CC# over email, then hand the CC to some itinerant, undocumented waiter to dissappear with for 15 minutes.

If you want to hide a message, the best way is to cushion it in a lot of junk. That's what happens when you send CC info email. Sort of like sending a diamond in the mail rather than by armoured car.

There are some neat halfway measures you can use, that can be a lot easier than "real" encyryption. Like using a simple script that will add some number to the cc #, which you subtract at your end. Or pasting the expir date in the middle of the CC number.

I

Competitors, especially when they are nasty, are an amazing way to get under your skin. But there are so many better, more positive ways to handle things. Consider how big your market is and work on the untapped market. Look at market share and figure out how to make your share bigger without thinking that your competitor exists. How secure his system is goes WAY beyond something you need to worry about. Look at WW. They have taught you ways to get more and more and more and more traffic. By building more content. Time spent worrying about your competitor is time spent not working on content. I'm glad you chose the positive approach in the end. It will pay off. Trust me.

What I do is encrypt the details on the server, but then provide a secure admin area which displays the encoded string in a text box, you then have to copy this into a windows client that has the correct reg key, and is also protected by a user/pass

That way only the encrytion key is on the server, there is a further key which is burried in the dll that does the encryption.

The windows client is unique to the user, in that the dll key is buried within it, you then have to supplied the additional key that is sent to the dll by the asp code. Only having the two codes together can you decrypt the string :)