Re: FW: aa.com not encrypting customer transaction data (KMM508728C0KM)

[AA Webmaster <webmaster () aa com>]

Hello Devi and Chris,

Thank you for your interest in American Airlines web site and the
security we use to transfer confidential customer information.

Most browsers indicate that a page is secure by one or more of the
following methods:

- A picture of a key on the status bar.  The key may appear to be broken
when the page is not secure.
- A picture of a padlock on the status bar.  If the padlock is closed, 
the page is secure.  If the padlock is open, it is not secure.
- A blue line across the top of the secured page.

** Although all confidential information sent and received at our site 
is transferred using Secure Socket Layer (SSL) protocol, your browser
will not display a key, padlock or blue line to indicate that the page 
is secure. **

Our site will access secure servers for user confidentiality only when 
sensitive information is being transmitted such as site login, user
profile updates, travel planning payment, AAdvantage account
transactions, etc.  And, since our site uses frames to display
information, only the frame content which contains confidential
information is secure.  Most browsers are unable to detect individual
frames which contain this information and is the reason your browser is
unable to detect this secure transfer of information.

To prevent unauthorized access, maintain data accuracy, and ensure the 
correct use of information, we have put in place appropriate physical, 
electronic, and managerial procedures to safeguard and secure the
information we collect online.

We also participate in the Council of Better Business Bureaus'
BBBOnline® Privacy Program, and comply with all the BBBOnline privacy
standards.  Further information about this program is available at
http://www.bbbonline.org.

If you wish to automatically be notified when entering or leaving a
secure server at our site, you may modify your browser settings to alert
you when these actions occur.  Please contact your Internet Service
Provider or browser manufacturer if you need assistance.


Sincerely,
Melissa Till
AA.com Webmaster Team


Original Message Follows:
-------------------------



-----Original Message-----
From: Dwight Mann
Sent: Monday, September 17, 2001 3:59 PM
To: DFW Technology
Subject: FW: aa.com not encrypting customer transaction data




-----Original Message-----
From: Chris Fairbourne [mailto:chris.fairbourne () camsystems com]
Sent: Monday, September 17, 2001 12:39 PM
To: 'bugtraq () securityfocus com'
Subject: aa.com not encrypting customer transaction data


Looks like aa.com (American Airlines) is NOT encrypting customer data
for
purchasing e-tickets. Hopefully this isn't still the case by the time
this
posts. This hold true for both Advantage login and non-members as well.
At
no time did I get a redirect to an SSL server for my session.

Taking a peek at the "Passenger Details" page source, no where do you
find
"https" or ":443", hmm. Next I make a phony submission and low and
behold
this is what I grabbed: " f o r m % C I _ C r e d i t C a r d T o U s e
_ C
a
 r d N u m b e r "   v a l u e = " 4 3 2 3 5 0 1 9 8 3 5 1 9 9 9 9 "

I've made serveral phone calls to aa.com and generated a few e-mail.
I can't convince them I'm wrong, so I bring it to this forum.



Chris Fairbourne
pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x371E73BB
fingerprint: 7AE3DCC82215697A0C3F61C4968FCFDB371E73BB