Left In Lowell

Member of the reality-based community of progressive (not anonymous) Massachusetts blogs

 
Lowell 2009 Campaign Info
 
LiL Council Video Questionnaires
 

August 18, 2010

Advice to Doherty: Secure Donor Credit Card Info (Updated)

by at 7:40 pm.

Something I noticed out of the corner of my eye while researching my last post, but didn’t have time to delve into deeply, is the fact that Chris Doherty’s donation page does not appear to have an SSL (Secure Socket Layer) certificate indicator. The donor page asks for your full information, including all credit card info, and claims at the top that “This is a secure page” with a padlock image, but what is more important than easily made in-page claims, is the missing padlock you should be finding on the bottom bar of your browser when you hit that page.

The donation form itself is in an iframe - embedding code from another site, the URL of which is:
http://secure.sage-systems.com/cms/chrisdoherty/?l=donate

But just because “secure” is in the subdomain of the page being pulled, it does not mean security. That page URL also does not have the “https” prefix - https indicates a secure URL. The form script appears to resubmit to itself via relative URL (web talk for using the same prefix and domain).

Curious, I put my IT husband on the case, and he used what’s known as a “packet sniffer” - software that monitors the pieces of information, called packets, that are sent to and fro whenever you submit something and then receive something through the web (or rather, through a network then the web). An encrypted (SSL) packet is indecipherable via packet sniffer. However, the test data that we submitted through the form on that page was perfectly intact in the packet sniffer. That means a knowledgeable computer person (with malicious intent) can, particularly if you are on say, an unsecured network at a coffee shop or library, grab 100% of your credit card information, everything that person needs to use the card themselves online (including the CVV, address, name, and expiration date).

If I were Chris Doherty, I would be really pissed off at my web design firm. This is a terribly amateur mistake that could compromise the personal information of donors. And it needs to be fixed ASAP.

UPDATE: Looking at the code for the page now, the iframe now links to “https://secure.sage-systems.com/cms/chrisdoherty/?l=donate” which appears to be a secure site (the certificate doesn’t name ownership info, but it at least has SSL).

This means the parent page (the contribute page) itself does not have SSL, but the transaction should be secure. It’s not how I would set it up - in that people do look for that padlock on the bottom bar when they are on a page asking for credit information, and it will not appear there, but it should be secure. I don’t have a packet sniffer here with me so I can’t check it but my guess is it’s encrypted. So good on the web updater for getting to it quickly. Still, pretty rookie move…

March 27, 2010

Opening New Fronts

by at 2:30 pm.

March 1, 2010

Internet BahHumbug, Circa 1995

by at 9:08 pm.

January 20, 2010

GOP + Internet = Amusement

by at 9:17 pm.

December 4, 2009

Design Humor

by at 6:30 pm.

August 24, 2009

Digitial Data Measuring

by at 10:39 am.

March 31, 2009

Protect Your PC

by at 11:44 am.

March 9, 2009

LiL - Affecting National Policy on Coins?

by at 7:46 am.

January 20, 2009

Whitehouse.org Has a Blog!

by at 3:01 pm.

January 15, 2009

LiL2.0 Update: Features I Am Working Towards

by at 7:29 pm.

[powered by WordPress.]

follow me on Twitter

Pages:

Recent Posts

Search

Categories:

Archives:

September 2010
M T W T F S S
« Aug    
 12345
6789101112
13141516171819
20212223242526
27282930  

Other:

Email us!

(replace spaces, ['s, symbols)
Lynne | Mimi

Lowell Area Bloggers/Forums

Lowell Politics

Mass Bloggers

Media in Lowell

Media in MA

Other Daily Reads

Politics Online

Progressive Local Orgs

Snark and politics

The Arts in Lowell

59 queries. 0.784 seconds