I’ve just purchased my ticket for O’Reilly ETech… well almost purchased it!
Everything was going well until I went to enter my credit card and realised the page wasn’t secure!
Having navigated their slightly bizarre signup process, which didn’t work with Firefox, I proceeded through the pages of personal information, tutorial selection and marketing survey.
But it was only when I was presented with the credit card page did I realise that the site wasn’t using industry-standard 128-bit encryption via SSL (https).
(Before anyone asks, the action url attached to the form tag wasn’t secure either.)
I telephoned O’Reilly and was put through to Jason on their customer support. He said that they had received a few other calls about this, but ‘apparently it was secure’.
I begged to differ, for obvious reasons considering the evidence in front of me in my browser.
Frustrated that I couldn’t pay for my ticket online, I asked whether I could pay over the phone instead. I spoke to a sales agent who informed me that she had to use the same system as the public, and as such her transaction wouldn’t be secure either.
I’m usually quite a fan of O’Reilly, but I have to say this looks really bad for them – particularly considering the nature of the conference and the nature of their business generally.
But the matter is even more serious when you consider:
- O’Reilly was already aware of the issue having “received a few calls already about it”
- It didn’t appear to be an intermittent problem – it looks like anyone who has already purchased a ticket via their web-based system has sent their credit card details insecurely over HTTP
- It appears that if you bought your ticket over the phone, that the ticket agents may have also been processed your payment via an insecure HTTP transaction
Most people don’t check these days to see whether their credit card page is secure, especially when buying from trusted sites such as O’Reilly. I wonder how many other people have been affected by this?