Hacker News new | comments | show | ask | jobs | submit login
Sundance asks for credit card info without SSL, says it has SSL anyways
4 points by magic5227 1805 days ago | hide | past | web | 3 comments | favorite

Just bothers me that companies can get away with this given the recent history with Sony etc getting hacked.


Not quite true...

If you noted your order is processed inside an <iframe> element which is secured with https to https://webtix1.sundance.org/WebTixsNet/OrderFormPage.aspx?d...

replied above

actually "false, I checked that already. the iframe src is http://webtix1.sundance.org/webtixsnet/?key=RegPublic-PITW the form's action is "OrderFormPage.aspx?dtticks=634878773966587077" which means that the form submits to http://webtix1.sundance.org/webtixsnet/OrderFormPage.aspx?dt...

so the iframe isn't ssl, and the form doesn't submit to an SSL page either.

furthermore! even if the iframe were over ssl (which it isn't), that still wouldn't be secure. since the outer page isn't over ssl, an attacker could replace the iframe with one that has the same content but points to a non-ssl page. this is why SSL is useless unless the user checks the browser SSL indicator (the green lock in the URL bar)."

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact