Left In Lowell

Member of the reality-based community of progressive (not anonymous) Massachusetts blogs

 
2013 Candidate Questionnaire Responses!
 

August 18, 2010

Advice to Doherty: Secure Donor Credit Card Info (Updated)

by at 7:40 pm.

Something I noticed out of the corner of my eye while researching my last post, but didn’t have time to delve into deeply, is the fact that Chris Doherty’s donation page does not appear to have an SSL (Secure Socket Layer) certificate indicator. The donor page asks for your full information, including all credit card info, and claims at the top that “This is a secure page” with a padlock image, but what is more important than easily made in-page claims, is the missing padlock you should be finding on the bottom bar of your browser when you hit that page.

The donation form itself is in an iframe - embedding code from another site, the URL of which is:
http://secure.sage-systems.com/cms/chrisdoherty/?l=donate

But just because “secure” is in the subdomain of the page being pulled, it does not mean security. That page URL also does not have the “https” prefix - https indicates a secure URL. The form script appears to resubmit to itself via relative URL (web talk for using the same prefix and domain).

Curious, I put my IT husband on the case, and he used what’s known as a “packet sniffer” - software that monitors the pieces of information, called packets, that are sent to and fro whenever you submit something and then receive something through the web (or rather, through a network then the web). An encrypted (SSL) packet is indecipherable via packet sniffer. However, the test data that we submitted through the form on that page was perfectly intact in the packet sniffer. That means a knowledgeable computer person (with malicious intent) can, particularly if you are on say, an unsecured network at a coffee shop or library, grab 100% of your credit card information, everything that person needs to use the card themselves online (including the CVV, address, name, and expiration date).

If I were Chris Doherty, I would be really pissed off at my web design firm. This is a terribly amateur mistake that could compromise the personal information of donors. And it needs to be fixed ASAP.

UPDATE: Looking at the code for the page now, the iframe now links to “https://secure.sage-systems.com/cms/chrisdoherty/?l=donate” which appears to be a secure site (the certificate doesn’t name ownership info, but it at least has SSL).

This means the parent page (the contribute page) itself does not have SSL, but the transaction should be secure. It’s not how I would set it up - in that people do look for that padlock on the bottom bar when they are on a page asking for credit information, and it will not appear there, but it should be secure. I don’t have a packet sniffer here with me so I can’t check it but my guess is it’s encrypted. So good on the web updater for getting to it quickly. Still, pretty rookie move…

33 Responses to “Advice to Doherty: Secure Donor Credit Card Info (Updated)”

  1. joe from Lowell Says:

    Oh, Lynne.

    That’s beautiful.

    Did you at least buy the rats dinner first?

    I love it.

    Thank you for posting this out of the kindness of your heart. You rule!

  2. Lynne Says:

    Well, sarcasm aside, it really IS a major no-no by a web designer. In this case, I think Doherty himself can be forgiven for not understanding the particulars - though word to all the wise out there, NEVER ever enter your sensitive info on a site without the https and the SSL lock on the page, no matter what the content on the page itself says. And it’s never a bad idea to check the certificate itself on pages you are not sure about. Sure, Amazon and other major websites are probably always safe, but SSL issuers are a dime a dozen now and some are now questioning whether or not there’s problems with some of them.

  3. Lynne Says:

    Please, we don’t allow people to comment without filling out the nickname. It defaults to “Anonymous” and it gets confusing if everyone posts that way. Thanks!

  4. Kim Says:

    I always forget to enter my name again after emptying my temp files. Sorry! I swear I will remember some year. Thank you for the security lesson. I add customers at home to my work server and have to type in https and wondered why that was and now I know. Will the Sun title tomorrow be “Doherty contributors at risk”? Is the donation system the Doherty campaign used REALLY that dangerous?

  5. K-R-S Says:

    My goodness, thank God I hadn’t donated! :0)
    That said, having come back from from April vacation to find that someone had compromised our CC information, not too pleased, but easily remedied.

  6. Mr. Lynne Says:

    I don’t thing this is too serious as long as it gets fixed. (Disclaimer: I’m not an internet security expert - I’m just a little more informed about it than most users.) It basically isn’t secure, but its like leaving your door unlocked at home while your out - as long as nobody notices and takes advantage the data you sent is probably safe. While the data would be relatively easy to intercept, you have to know to look. There may have been bot sniffers out there monitoring the site, but I doubt it.

    The internet used to be full of sites with this problem, but people in general have wised up. Yahoo in particular used to ask you to sign into their site without any encryption unless you specifically asked to do it by clicking on a ’secure sign in’ link instead of just being secure by default (like it is now).

  7. Peter Rollins Says:

    Ummmmm thanks for telling the crooks how to break in. WTF is wrong with you? Yeah I know, you want people to fear donating to this kid because you don’t like him, makes sense from a strictly utilitarian viewpoint. But you’re acting a little too, what I would call “Fox Newsy,” for my tastes on this one.

    Remember, we can’t act like we’re better than the right wing jag-offs unless we ARE better than the right wing jag-offs. Right?

  8. Lynne Says:

    Oh for god’s sake, honestly, if I noticed, anyone could. And it is a seriously stupid mistake. Sorry, but it’s not MY fault it happened. Stop blaming me for it.

  9. Lynne Says:

    (In fact, it’s likely bots have already sniffed out the fact it’s not a secure site, anyway - long before any human ever did. It’s not hard to figure out.)

  10. Lynne Says:

    I’ll add one last thing - It’s awful to state on your site that it’s a secure transaction without actually securing it. That’s false advertising.

    The site goes out of its way to reassure you, but it fails to do so. So this is something we should be quiet about?

    Publicizing it means it’ll get fixed posthaste. If that web company wants to ever be hired again, it’ll get it done TODAY. If I emailed the campaign, there’s no guarantee that the company would hustle on it.

  11. Lynne Says:

    As mentioned before, there is an iframe. An iframe can be secure in an insecure page, except, you need that embedded page to be secure - https packet instead of an http packet. The iframe is calling in an insecure form, therefore the packet is bare.

    Using HTTPS is a matter of getting the SSL - buying it, and then setting it up correctly at one’s host. When you buy an SSL you get a key that is then entered at the host end, which is where your script that parses your form lies. That allows it to unencrypt the encrypted packet. Because it sits where the script sits (ie on the same computer, so to speak), the unencryption key never crosses the wire like the packet is, and therefore (without the key) cannot be unencrypted by third parties.

    In other words, you can’t merely just use https in your link, you have to also set it up correctly. The packet as sent through the wire on that site is in plain text, unencrypted.

    But like I said, this is also a really good lesson to anyone who uses the web. You should look for that SSL indication, in the URL and in the bottom browser bar. And on a site you’re still not sure of, you might want to check the actual certificate itself. (You usually can do that in most browsers by clicking on the padlock icon in the bottom bar.)

  12. Really? Says:

    No Lynne. No, no no.

    If you actually cared about the security of people’s information like the tone of the post suggests, you would have contacted the campaign to let them know of the flaw. Yes, it would have helped the opposition, but it would have been the right thing to do.

    Instead, you post the information on an open web site, allowing anyone with malicious intent to steal people’s personal information. All to score cheap political points, the same tactic you have been basing Doherty for from the start.

    Nice going.

  13. Lynne Says:

    I think people have a right to know, KNOW that their info might be at risk until they FIX the problem? Or are you against warning people?

    Good lord. You’d rather the next several people to donate be at risk…you must be insane.

    As I said, this is super EASY information to find out - bot scripts probably already have. I’m serious, this looks like this might have been going on since the start. *I* am NOT the one compromising people’s security on that site - but I sure as hell will warn other people. And yes, it’s a stupid move on Chris’ web company’s fault, but you might want to note I have NOT blamed him - I blamed whoever set up the site.

    Don’t blame me for someone else’s mistake, one which I am very likely NOT the first person to notice.

  14. Lowell Lurker Says:

    So if I read your “update” correctly, this was all much ado about nothing?

    By the way, were you in the process of making a contribution?

  15. Really? Says:

    Regardless of your intentions, your “help” has made it much easier for those who want to to steal the information you seem so interested in protecting. As I said, there was a way to help without making an admittedly serious security flaw even more public.

    Instead, you chose the route that benefited your side the most, rather than the one that would actually be most helpful in preventing any further damage. So I daresay I’m justified in questioning your motives for posting this here.

    And no, I’m not against protecting people; I’m against doing it in a way that makes it worse, in order to serve your side. People should know, but the real
    Solution would be to fix the problem, not trumpet about it.

  16. joe from Lowell Says:

    Ummmmm thanks for telling the crooks how to break in. WTF is wrong with you?… Instead, you post the information on an open web site, allowing anyone with malicious intent to steal people’s personal information. All

    The crooks already know everything Lynne wrote. It’s the rest of us who don’t.

  17. Shawn Says:

    Sorry Lynne, I agree with “Peter” and “Really” on this one.
    I have no dog in this fight.. its a Lowell race to me.

    But, when I discover a security issue on someone’s site, I always quietly notify the webmaster.

    I may discuss the issue after the problem was solved on a security blog or webmaster forum. Education is important in that light.

    This obviously touched a nerve, because you replied repeatedly trying to validate your post after you were challenged on it.

    This posting did nothing but create distruct of a candidate (your intended target), and distrust in the security of the internet in general (the unfortunate consequence).

  18. Lynne Says:

    Uh, Lurker, NO, since it’s been like that (one can presume likely) since the site was set up, a lot of people’s info could have been compromised.

    No, don’t be sarcastic, I already said (why am I always repeating myself???) that I found it researching for my last post. I noted it that night, but didn’t remember to go back and do the delving until I did.

    “Really??” - what joe said. Again do I have to repeat myself? I love the talking points. “It’s Lynne’s fault there’s a security breach on a site she had nothing to do with!” Good lord.

    There were two reasons for publicizing it - one, so that people would be forewarned, and two - so there would serious pressure to fix it DAMNED quick, and that worked, it was fixed. The fact that it makes Doherty’s campaign look bad isn’t my fault. Kudos on them for getting on the ass of the web master.

    And as I said in the update, they’re doing the security in a way that I think is pretty dumb. Well, at least, NOT reassuring to the average savvy user who might be looking for that padlock on the bottom, which they won’t get. And SSL certs are really cheap, so there’s really no excuse…

    By the way, the STATE takes this security stuff very seriously. WISP just went into effect in March, and it’s VERY adamant that you secure information. Web developers are taught to be very, very cautious about proper web security.

  19. Lynne Says:

    And I can’t wait til the OCPF reports come out and we find out who did the website…LMAO.

  20. Lynne Says:

    You know, I gotta wonder…are all the people who are on here getting all defensive for Doherty (whom, I will note, I didn’t BLAME in the first place) are they the same people who are perfectly OK with the government grabbing more info than the Constitution allows (PATRIOT Act etc) and then yelling at the press for revealing that these programs exist for “compromising US security”?

    LOL!!!

  21. Lynne Says:

    To Shawn - right, again, I point to the fact that the site was already compromising people’s data, and the people who read this site so they can jump on my ass for my views on the race are the ones donating to him.

    You might not like my methods, but they were effective. After months of this thing being insecure, it was fixed right away.

    “This posting did nothing but create distruct of a candidate (your intended target), and distrust in the security of the internet in general (the unfortunate consequence).”

    Sorry, but the distrust was deserved. I posted an update of it being fixed (and how it was fixed) as soon as I found out it was. So, your superiority attitude aside, again, I think it’s perfectly reasonable to do it however you think you should. I doubt very much it’d be fixed this quickly if I had sent an unsolicited email to some unknown intern at the campaign and let the wheels grind away.

    If you don’t think people needed to know that’s your opinion (and frankly, people needed to know if they were past donors - because they should try to remember where they were when they did it - and even being on a secure network is no guarantee BTW - because they might want to keep an eye on that credit info).

  22. Mr. Lynne Says:

    Security firms wrestle with the ‘do I make this public?’ question all the time, and they do sometimes make the judgement call that it’s better to make it public prior to a fix being out there. Certainly there can be a risk, but the benefits of warning the public and the pressure it puts on getting a fix done can sometimes outweigh them. In this case, the risk probably wasn’t much at all. People who try to hack card numbers don’t usually go the rout of trying to hack each individual transaction (which is what you would have to do here), but rather they go after the database of transactions - more bang for the buck.

  23. dybo Says:

    Thanks, and you are absolutely correct. If you right click the donation info page it will tell you that this page has no encryption.
    Good catch!

  24. Lynne Says:

    Dybo - it is secure now that it has been fixed, just hiddenly so. The iframe pulling in the form is now finally from an https (secure) site - but the lack of an SSL on the page itself is likely to fool a lot of people. Again not the best methodology to secure data IMHO - just from a public trust standpoint, though it’s as secure. (As evident by this problem, securing a form’s submission of data via iframe is also REALLY easy to screw up - all you gotta do is forget the “s” on the http in the URL.)

    Like I said, take this as a lesson - on any site asking for your personal info, check to see if there’s a padlock. On sites that don’t have it, don’t assume they are securing you in other ways. They might be, but it’s time to be aware.

    One thing you CAN do is click on “view source” (right click, or else up on the menu usually under “view”) on the page asking for your data, and look for an iframe (do a search) where the form should be. If the iframe code is calling for an https site, then it should be secure.

    I’d post real code but I think the WP install would strip it out, and I’m too lazy right now to use HTML characters - but HTML code for iframe looks like this. In the instance of pulling code from another website, the src=”" attribute would have a full URL with http/https at the beginning. If you see an src attribute with https in the URL, then that form is secure.

  25. Lynne Says:

    Oh, and - you should go to the URL being iframed, too - copy-paste the URL into your browser to access it directly. [Go into the page source for that page] and find the form tag:

    <form name=”SOMENAME” action=”SOME URL/FILE” method=”post”>

    And make sure that if it’s an absolute URL (starts with http or https and has full URL) that it has a https on it. If it’s a relative URL (not a full URL but just a part of a path, like “scripts/parsemyform.php” or something) than if the iframe is on https, it’ll resubmit to the secure version of the site.

    The big problem with the form being pulled in to Doherty’s site was that the form’s action attribute submitted to a relative URL, which was the unsecure one.

    If I were Sage, the company providing this service, I would be at a minimum checking to see if any offsite code pulling my form was pulling from https, and giving a bit of error code instead of delivering the form, so if the web developer screws up, they know it right away. Kind of a failure on several levels…

  26. Lynne Says:

    Heh, awesome, I just found a site that very nicely describes how to do proper form submission security.

    The relevant headings to look for on that (long) page are:
    Make sure that no one can connect to your form page insecurely

    and

    If my form is posting securely to a secure form processing script, then why does the form itself need to be secured?

    Quoting the first:

    However, as mentioned before, most web hosts leave the insecure version of the form there and can still be accessed by users if they enter the address directly (or if you missed some of the links in your updates). As a next step, you should ensure that it is not possible to access the form page via an insecure connection.
    [snip]
    Scripted pages: If your form page is generated by a server-side script (i.e. PHP, Perl, Python, or JAVA), then your script itself can look and see if the request is secure or not (by looking at the server environment variables). For secure requests, it can render the form as usual. For insecure requests, it can either give the user an error or redirect the user seamlessly to the proper secure location.

    In an iframe, redirect isn’t possible so far as I know, so delivering the error code (a responsibility for Sage, the place hosting the real form) is appropriate here.

    Under the second heading, they agree with me that hiding the security is just bad manners. In their case, they’re talking about a form on your website on an unsecure page that submits to a secure script (the “action” attribute). It’s secure but it fails to show the padlock and certificate to the web user.

    * The data sent from your end users to the server will be secure and encrypted during transmission. This is enough for some applications, such as HIPAA compliance.
    * The form itself will be sent to the end user unencrypted. If there is nothing sensitive in the form itself, this may be OK.
    * End users who are non-technical will have no way of knowing if their data will be submitted securely until they actually try it. Many end users will not want to submit their data to an insecure form on your site for this reason.
    * End users have no way of knowing if they are viewing your site, or a phishing site, or if there is eavesdropping going on — as there is no certificate to validate. Many users will not trust the connection and will not want to submit their data through your site.
    * If your form page is insecure, it is very easy for any malicious party to perform a man-in-the-middle attack to eavesdrop on connections and to set up phishing sites. It is very hard or impossible for your end users to tell if this is going on.

    If you do not SSL-secure your web form, you make it very vulnerable to attack and provide no way for your end users to trust your site. If there is nothing untoward going on, you do have transmission security to rely on; however, that minimal level of security is not recommended for production web sites.

    In the case of an iframe secure form inside an insecure site, even that appears not recommended:

    It may or may not be encrypted. But it’s not secure, and the browser is absolutely correct to deny you a padlock icon.

    If the parent page is http, then that page could easily have been altered by a man-in-the-middle attack to point the usually-secure <iframe> to a completely different server to the expected one. Or, the parent page might have had JavaScript injected into it to log any keypresses you make into the form and send them to the attacker’s server.

    The user would have no way of checking whether this had happened, short of viewing the page source and reading and understanding every line of markup and script inside it. This is absolutely unrealistic.

    If you aren’t on a page where all content is secured by https, any submission from that page is insecure, regardless of where the form action is pointed.

    Given his site is hosted as a WP install…security matters. (I learned he’s hosting a wordpress site because his contributors list is hosted at http://www.chrisdohertyforsenate.com/wp-content/uploads/2010/07/Chris-Doherty-Contributors1.pdf - wp-content is a common folder in WP.)

  27. Lynne Says:

    Actually, the javascript keypress alien script is enough to make one shudder! These problems are why you now see credit card sites and other financial institutions do weird things after you put in your username - but not your password.

    For instance, on one, I had to pick a photo I liked out of a bunch they had, which then was attached to my account. Now when I put my username in there, and go to the next page to put in my password, it shows “my” photo - and warns me, if I do NOT see my photo on a subsequent visit to NOT put a password in. Since the photo and its relationship to my account are stored on the server side, only that company (short of having its very servers hacked) knows the association, and can deliver my account with the photo next to it.

    On other sites, they use “confidence words” to tell you you’re on the real page and not a faked “phishing” hijacked page so you can feel safe putting in your password.

    Still other financial sites have not implemented this at all, which is surprising.

  28. Lynne Says:

    I’m sure you can tell, this stuff is my bread and butter…sorry for the boring tech talk, but everyone is affected by web security, so it’s better knowing some stuff than blindly putting your personal info out there to be hacked!

  29. Lilly Pad Says:

    UUUggghhh Lynne. Lots and lots of posts by you that make me think “you doth protest too much”. Which leads me to believe you had some indecision on posting this, in this manner, in the first place. You should have gone with your gut. Even though I’m sure you’ll deny it.

    You really should have just contacted the campaign directly and given them the opportunity to correct it. If they chose to ignore you, then and only then, should you have considered posting on it. And not in the full detail of how to breach the system. Just that the system was able to be breached. You could have posted on it later if you really felt the need to. But frankly it should have been the campaign to issue a warning to its contributors.

    You really did Eileen a disservice. This is not the way she would operate. And unfortunately the actions of your supporters directly reflect on the candidate. Right, wrong, or indifferent. But you can’t choose your family and you can’t choose your supporters.

    Sometimes just a little bit of restraint goes a long way.

  30. Mill Girl Says:

    I think people who are not as tech saavy think that Lynne’s post somehow made it possible for hackers to get into Doherty’s donor database which is not true.

    Someone would have to see her post, and then go to an open hotspot and scan for people who happen to be making donations to Doherty and then intercept their credit card info as it is being transmitted.

    In reality, hackers create programs that automatically scan all transactions to find those that are unsecure and pull whatever info was being transmitted regardless of where it was being sent. Therefore, Lynne sharing this info would not increase the likelihood of theft of the info, it would just increase the awareness of donors and get this problem fixed.

    Now can we get back to talking about the candidates? I’ve gotten 5 mailers from Chris Doherty in the last week. Can someone explain to me how you decrease class size, retrofit government buildings, give seniors major tax breaks AND reduce spending?

  31. Lynne Says:

    “Which leads me to believe you had some indecision on posting this, in this manner, in the first place”

    Nope. I was shocked just how bad this was and was pretty angry, actually. With all the stuff out there about people’s credit and personal info not being protected, it was a boneheaded move (on the part of the web company).

    By the way, I still wouldn’t trust that donor page! It is still vulnerable to a man-in-the-middle attack.

    “You really should have just contacted the campaign directly and given them the opportunity to correct it.”

    As I said, my email would have gone to some intern who would have run it up the chain and it would have taken probably a lot longer to get fixed. This way, there was serious pressure on the web company to get their act in gear and fix it quick.

    Also, I think it’s perfectly fair to nail these people on this, it’s ridiculous in this day and age.

    “And not in the full detail of how to breach the system.”

    It’s obvious to anyone who has any experience with web sites - if I could figure it out, smarter people than me can or have.

    “This is not the way she would operate.”

    Who the fuck said I was Eileen? Equating me with her, is, well, stupid. I saw a bad, bad practice on the web and chose to publicize it - for multiple reasons already stated. If you want to put the sinister motives on it - that’s YOUR business. And more reflects on you than me, frankly. I was pretty sure that contacting the campaign would have given the run around, most likely, or that Doherty would get the run around from their web people (and frankly I would fire them - that setup is really amateur).

    What I find funny, “Lilly Pad,” is that you’re just coming on here NOW and crying foul…so, what, suddenly you feel the need to comment? That tells a person a lot you know. You have a history of, it appears, two comments.

    “Someone would have to see her post, and then go to an open hotspot and scan for people who happen to be making donations to Doherty and then intercept their credit card info as it is being transmitted.”

    Actually there are a couple ways to do it - and one of them does not require a public hot spot at all, just a hijacked web inquiry, and that, actually, is still the case with the way they have it set up. (The iframe/inserted form is NOT secure.)

  32. Lynne Says:

    Actually, correction, the iframe is calling in a secure form, but the outer page is not secure.

  33. Say Whaaaat? Says:

    I don’t think Lynne was trying to help people steal the information. I do think she was trying to create a little doubt in the minds of donors who might have beem thinking of contributing.

    If your intentions were noble and driven out of concern Lynne, you should have gone to the campaign directly. Once they corrected the issue, you then could have called them out for a potentially careless mistake. You would have shown yourself to be a bigger person instead of a lowdown dirty fighter, like you accuse Doherty’s backers of being.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

[powered by WordPress.]


If you are not on Twitter and want to follow our feed on Facebook, click "Like" for our FB page.
BadgermillCity logo

Pages:

Recent Posts

Search

Categories:

Archives:

August 2010
M T W T F S S
« Jul   Sep »
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Other:

Email us!

(replace spaces, ['s, symbols)
Lynne | Mimi

Lowell Area Bloggers/Forums

Lowell Politics

Mass Bloggers

Politics Online

The Arts in Lowell

Trad Local Media

40 queries. 0.980 seconds