Daily Archives: October 8, 2007

internet, security, web authoring

Paying on the web? Look for the small padlock, not the big one

6 Comments

A friend drew my attention to a security issue on thetrainline.com, a UK website for purchasing train tickets.

She planned her journey and then entered her credit card details, noting that the browser confirmed that she was on a secure page:

In this case, Internet Explorer shows the url in green, which means it uses an Extended Validation (EV) SSL certificate, giving extra confidence that all is well. Indeed, in normal circumstances it would have been.

Unfortunately she made a small error with the card details. The site then bounced her to an insecure page, inviting her to re-submit her details but this time over HTTP. The image below shows part of the web page, including the credit card details (albeit with whatever errors caused the validation to fail) and the IE property dialog confirming that the page is not encrypted:

Now the comforting green url is gone, replaced by plain black on white:

However, the big padlock graphic is still in place, along with logos for Verified by Vista and MasterCard SecureCode.

It looks to me as if the card details are sent in plain text twice, first when bounced back to the user for correction, and second when re-submitted.

The site was advised of the problem 24 hours ago, but I was able to replicate the issue just now. Moral: look for the small padlock in the address bar, not the big reassuring graphic on the page itself.

Is this a big security risk? As far as I’m aware, the chance of a criminal intercepting internet traffic to look for useful information is slim. That’s just as well, given the number of sites that do bad things like emailing password reminders in plain text. The risk is not just theoretical though; the traffic could be logged or intercepted.

Let me emphasise: thetrainline.com is a respectable web merchant and I am sure this is no more than a bit of careless coding. After all, there is no advantage to the web site if you send your card details unencrypted. They get them anyway.

Technorati tags: , ,
blogging, microsoft, web authoring, windows

The curious silence of the IE team – Microsoft needs to rediscover blogging

4 Comments

There are huge numbers of Microsoft bloggers; yet in some important areas Microsoft seems happy to let its opponents make all the noise.

Internet Explorer is an obvious example. There is an official IE Blog, but you won’t find anything there about IE8, just occasional news of minor IE7 tweaks. The comments on the other hand are full of questions, many of them good ones that deserve an answer, or at least an acknowledgement that someone is listening.

I spoke to Microsoft’s Chris Wilson at the Future of Web Apps conference back in February, noting that he gave a “good bridge-building talk”. There have been other similar talks, but little of substance since then. Anyone searching the web for news of browser development and innovation will find little from Microsoft, lots from Mozilla and others.

This is not about Microsoft bashing. Rather, it is about web developers and designers who need to make stuff work. Having some idea about where Microsoft is going with its browser helps with that.

Microsoft needs to rediscover the value of high quality blogging that engages with the community. It is not just IE. Soon after the release of Office 2007 I was among those who reported on performance problems with Outlook. This blog still receives thousands of visits from users who search for why Outlook 2007 is slow. Where were the bloggers from the Outlook team? Months later there was a tech note and patch which helps a little, but Outlook 2007 is still slow and there is no real evidence that the company cares.

What about Open Office XML, viciously attacked by IBM and other sponsors of the rival Open Document Format? Brian Jones has a good marketing blog; yet I’ve seen relatively little technical blogging from the OOXML folk at Microsoft, in response to questions raised.

See also Dave Massy’s blog.

Technorati tags: , , , ,