How secure is this?

Forum Moderators: phranque

Message Too Old, No Replies

How secure is this?

No https:// on form page

elgumbo

11:46 am on Jan 12, 2004 (gmt 0)

A supplier of ours has launched their new site which requires a credit card number to be entered on a non secure / http:// page.

Looking at the source, I can see the data is POSTed to an ASP script on a secure site but should I be concerned about the entering the details on their non encrypted form page?

Cheers

Birdman

12:18 pm on Jan 12, 2004 (gmt 0)

Yes! I would be concerned. The form page should be encrypted.

lundsfryd

12:22 pm on Jan 12, 2004 (gmt 0)

From a technical point of view, there is no security problems as long as the form POSTs the data to a secure page. This ensures that the transmission of your data is encrypted.

sem4u

12:33 pm on Jan 12, 2004 (gmt 0)

I would be concerned about typing my credit card details into a page that is not shown to be secure in the URL. I need to see https:// before I am happy.

elgumbo

2:04 pm on Jan 12, 2004 (gmt 0)

Thanks for the confirmation.

I will speak to the supplier.

Gorufu

1:09 am on Jan 13, 2004 (gmt 0)

A supplier of ours has launched their new site which requires a credit card number to be entered on a non secure / http:// page.

<edited by Gorufu>
If the requested form wasn't sent from an SSL server, the end user may not trust the site.
</edited>

Looking at the source, I can see the data is POSTed to an ASP script on a secure site but should I be concerned about the entering the details on their non encrypted form page?

<edited by Gorufu>
When the form is submitted the secure server sends the site's ssl.cert to the browser, which encrypts the data before sending it.
</edited>

After doing some packet sniffing between two of my servers, I found that information I previously posted was incorrect and has been edited to reflect the results of my testing.