Comments on: Name your own price on dental products http://www.spugbrap.com/blog/2006/07/name-your-own-price-on-dental-products/ This is a repository for my favorite scripts, regexes, commandlines, utilities, code snippets, tips, and other geeky things that might be useful to someone googling for an obscure solution some day. It's also a place to share my thoughts about companies I've dealt with, my favorite lifehacks, observations of interesting human behavior, clever and/or evil marketing schemes I've run across, and anything else I feel compelled to write about. Tue, 06 Jan 2009 06:20:33 +0000 http://wordpress.org/?v=2.2.3 By: Dave O http://www.spugbrap.com/blog/2006/07/name-your-own-price-on-dental-products/#comment-87 Dave O Tue, 18 Jul 2006 15:29:28 +0000 http://www.spugbrap.com/blog/2006/07/name-your-own-price-on-dental-products/#comment-87 Gotta love those security holes. I had a similar issue with trying to buy a gift certificate from Archie McPhee's store. Check out their gift certificate page:<br/><br/>http://www.mcphee.com/info/gc.html<br/><br/>NO SSL WHATSOEVER. I contacted them and said they lost business from me because of it (I'm not about to put my credit card info out into the open). They emailed me back and tried to say I was mistaken about the lack of security on that page. The funniest part was that their IT guy was trying to convince me that it was secure. Excerpt from his email follows:<br/><br/>"the gc buy page is NOT secure, in that it doesn't use SSL, but in this<br/>case it doesn't matter. this particular page kicks off a script on the<br/>server which then transfers the information to us via an encrypted email.<br/>no credit card information is ever passed on via HTTP, therefore the SSL<br/>certificate doesn't come into play. A sniffer would have to be running on<br/>our actual server, since no internet traffic is generated by the form<br/>post. In fact, the gc.html page does not even touch the cookie."<br/><br/>I love the horrendously flawed logic behind that claim. The sad thing is that I'm guessing many folks use the gift certificate form without realizing their credit card information is out in the open for the taking. And I *love* Archie McPhee's products (they make cool novelties like the Jesus Bobblehead and bandaids that look like strips of bacon), so it is all rather unfortunate. Gotta love those security holes. I had a similar issue with trying to buy a gift certificate from Archie McPhee’s store. Check out their gift certificate page:

http://www.mcphee.com/info/gc.html

NO SSL WHATSOEVER. I contacted them and said they lost business from me because of it (I’m not about to put my credit card info out into the open). They emailed me back and tried to say I was mistaken about the lack of security on that page. The funniest part was that their IT guy was trying to convince me that it was secure. Excerpt from his email follows:

“the gc buy page is NOT secure, in that it doesn’t use SSL, but in this
case it doesn’t matter. this particular page kicks off a script on the
server which then transfers the information to us via an encrypted email.
no credit card information is ever passed on via HTTP, therefore the SSL
certificate doesn’t come into play. A sniffer would have to be running on
our actual server, since no internet traffic is generated by the form
post. In fact, the gc.html page does not even touch the cookie.”

I love the horrendously flawed logic behind that claim. The sad thing is that I’m guessing many folks use the gift certificate form without realizing their credit card information is out in the open for the taking. And I *love* Archie McPhee’s products (they make cool novelties like the Jesus Bobblehead and bandaids that look like strips of bacon), so it is all rather unfortunate.

]]>