I’ve just purchased my ticket for O’Reilly ETech… well almost purchased it!
Everything was going well until I went to enter my credit card and realised the page wasn’t secure!
Having navigated their slightly bizarre signup process, which didn’t work with Firefox, I proceeded through the pages of personal information, tutorial selection and marketing survey.
But it was only when I was presented with the credit card page did I realise that the site wasn’t using industry-standard 128-bit encryption via SSL (https).
You can check out a full screen grab here
(Before anyone asks, the action url attached to the form tag wasn’t secure either.)
I telephoned O’Reilly and was put through to Jason on their customer support. He said that they had received a few other calls about this, but ‘apparently it was secure’.
I begged to differ, for obvious reasons considering the evidence in front of me in my browser.
Frustrated that I couldn’t pay for my ticket online, I asked whether I could pay over the phone instead. I spoke to a sales agent who informed me that she had to use the same system as the public, and as such her transaction wouldn’t be secure either.
I’m usually quite a fan of O’Reilly, but I have to say this looks really bad for them – particularly considering the nature of the conference and the nature of their business generally.
But the matter is even more serious when you consider:
- O’Reilly was already aware of the issue having “received a few calls already about it”
- It didn’t appear to be an intermittent problem – it looks like anyone who has already purchased a ticket via their web-based system has sent their credit card details insecurely over HTTP
- It appears that if you bought your ticket over the phone, that the ticket agents may have also been processed your payment via an insecure HTTP transaction
Most people don’t check these days to see whether their credit card page is secure, especially when buying from trusted sites such as O’Reilly. I wonder how many other people have been affected by this?
This might be a stupid question, but did you try just hacking the URL to https://conferences.oreillynet.com/cs/et2006/edit/reg/? That seems to work for me.
Looks like a rather silly (and costly, in terms of security and PR) typo where the ‘s’ has been missed of from a link…
Frankie
I didn’t try hacking the link, although I’m sure that would have worked.
The point for me is that if I hadn’t noticed… etc
On a technical note, hacking around with a url can sometimes trash any state or session information, and I didn’t want to loose all the information I had already entered. As it turns out I went back a step and opted to ‘mail in a check’ instead so that my detials were on file – but will be paying via card at a later date.
I agree that it’s a big mistake.
I also think that it’s a mistake to have a server work so that any page can be viewed either securely or non-securely simply by using http:// or http://. I guess it might be useful to have the option to view normal pages securely, but if it’s possible for any payment form to be made unsecure by hacking the URL, then that’s a mistake as someone could easily pass the unsecure link around and then pick up the personal details / credit card info.
I think its fine to have both http and https on the same webroot – the secure pages should pick up whether the URL is in secure mode or not and take action , it’s a fairly trivial matter to add this in and forward on accordingly. Whilst I think it’s a shame I think these things tend to happen and often its the public which spot it. A developer adding the link to the page just forgot the ‘s’ – i’ve done worse!
Actually, just thought I would add the worst thing i’ve ever done: On our live web server in the olden days I ran rm -rf * on the webroot and vaped pretty much everything before I realised and killed it 🙂 Had a massive half hour panic mode of restoring – shit happens and you move on eh !
Ouch!
I use Remote Desktop into our live server almost every day, and sometimes it’s easy to come very close to hit ‘shutdown’ rather than ‘log off’ at the end of the day. Luckily, I haven’t actually done it. Yet.