fixed: Re: NON-Secure Credit card info transfer from time.com/pathfinder.com

[Bob Niederman <btrq () bob-n com>]

This has been fixed, around 18 Oct.  The operative line of HTML now reads:

<form METHOD="post"
action="https://cgi.timeinc.net/cgi-bin/magsubs/cc/booksubs/tdspecialed01";>

Ethereal confirms all traffic is https.


- Bob Niederman



On Tue, 16 Oct 2001, Bob Niederman wrote:

> When you go to www.time.com and click on "Order This Special Issue" (over
> the picture of the Time cover showing the second crash into the World
> Trade center), you are taken to:
>
> https://www.pathfinder.com/subs/books/forms/td/tdspecialed01.html
>  
>
>
> The problem is that while the page 
>
> https://www.pathfinder.com/subs/books/forms/td/tdspecialed01.html
>
> itself is secure, as noted by the "https" at the beginning of the URL,
> when you click the "Submit Order" button, the html in that page
> reading:
>
> <FORM METHOD="post"
> action="http://cgi.pathfinder.com/cgi-bin/magsubs/cc/booksubs/tdspecialed01";>
>
> sends it to a non-secure server, as noted by the "http:" instead of the
> "https:" in the preceding URL.
>
> This causes the credit card number to cross the internet in
> un-encrypted form.
>
> - Bob Niederman 
>
> Fight UCITA! http://www.4cite.org, 
>
> Free Dmitry Skylarov.  Repeal DMCA.  http://freskylarov.org  
> http://eff.org