

Sundance asks for credit card info without SSL, says it has SSL anyways - magic5227

http://www.sundance.org/festival/tickets/registration/<p>Just bothers me that companies can get away with this given the recent history with Sony etc getting hacked.<p>http://www.box.com/shared/vdqv03hfgxri5ocreohz
======
boksiora
Not quite true...

If you noted your order is processed inside an <iframe> element which is
secured with https to
[https://webtix1.sundance.org/WebTixsNet/OrderFormPage.aspx?d...](https://webtix1.sundance.org/WebTixsNet/OrderFormPage.aspx?dtticks=634878250741441833)

~~~
magic5227
replied above

------
magic5227
actually "false, I checked that already. the iframe src is
<http://webtix1.sundance.org/webtixsnet/?key=RegPublic-PITW> the form's action
is "OrderFormPage.aspx?dtticks=634878773966587077" which means that the form
submits to
[http://webtix1.sundance.org/webtixsnet/OrderFormPage.aspx?dt...](http://webtix1.sundance.org/webtixsnet/OrderFormPage.aspx?dtticks=634878773966587077)

so the iframe isn't ssl, and the form doesn't submit to an SSL page either.

furthermore! even if the iframe were over ssl (which it isn't), that still
wouldn't be secure. since the outer page isn't over ssl, an attacker could
replace the iframe with one that has the same content but points to a non-ssl
page. this is why SSL is useless unless the user checks the browser SSL
indicator (the green lock in the URL bar)."

