Left In Lowell

Something I noticed out of the corner of my eye while researching my last post, but didn’t have time to delve into deeply, is the fact that Chris Doherty’s donation page does not appear to have an SSL (Secure Socket Layer) certificate indicator. The donor page asks for your full information, including all credit card info, and claims at the top that “This is a secure page” with a padlock image, but what is more important than easily made in-page claims, is the missing padlock you should be finding on the bottom bar of your browser when you hit that page.

The donation form itself is in an iframe - embedding code from another site, the URL of which is:
http://secure.sage-systems.com/cms/chrisdoherty/?l=donate

But just because “secure” is in the subdomain of the page being pulled, it does not mean security. That page URL also does not have the “https” prefix - https indicates a secure URL. The form script appears to resubmit to itself via relative URL (web talk for using the same prefix and domain).

Curious, I put my IT husband on the case, and he used what’s known as a “packet sniffer” - software that monitors the pieces of information, called packets, that are sent to and fro whenever you submit something and then receive something through the web (or rather, through a network then the web). An encrypted (SSL) packet is indecipherable via packet sniffer. However, the test data that we submitted through the form on that page was perfectly intact in the packet sniffer. That means a knowledgeable computer person (with malicious intent) can, particularly if you are on say, an unsecured network at a coffee shop or library, grab 100% of your credit card information, everything that person needs to use the card themselves online (including the CVV, address, name, and expiration date).

If I were Chris Doherty, I would be really pissed off at my web design firm. This is a terribly amateur mistake that could compromise the personal information of donors. And it needs to be fixed ASAP.

UPDATE: Looking at the code for the page now, the iframe now links to “https://secure.sage-systems.com/cms/chrisdoherty/?l=donate” which appears to be a secure site (the certificate doesn’t name ownership info, but it at least has SSL).

This means the parent page (the contribute page) itself does not have SSL, but the transaction should be secure. It’s not how I would set it up - in that people do look for that padlock on the bottom bar when they are on a page asking for credit information, and it will not appear there, but it should be secure. I don’t have a packet sniffer here with me so I can’t check it but my guess is it’s encrypted. So good on the web updater for getting to it quickly. Still, pretty rookie move…