[thelist] Flash e-commerce security question
Kelly Hallman
khallman at wrack.org
Thu Mar 27 16:39:44 CST 2003
On Thu, 27 Mar 2003, Tara Cleveland wrote:
> I also noticed that the security certificate was invalid and that the
> page was could be seen in transit by others.
Even with an invalid certificate, the SSL still protects information from
being viewed by others while in transit (I assume you misread the popup).
The reason it warns you is because part of the SSL scheme is based on
"trust" -- if the certificate does not meet various criteria, you receive
a warning. In this case, the cert does not match the name of the site and
it appears to have been self-issued by/to plesk.com. The reason this is
important is because you have no real assurance that the site is who they
say they are or that your data is going to the intended party.
However, the data is still encrypted in transit -- IF it's SSL:
Some items on those pages are not being fetched via SSL, so you get a
warning saying the page contains non-secure items. If you choose not to
display the insecure items, you do get the lock icon. It's not obvious
upon cursory inspection just what is being fetched insecurely, perhaps it
is the references to the Flash download locations within the embed...
(It seems to work just fine w/o the insecure items...)
At any rate, this is all very sketchy. I wouldn't buy from a site that
didn't have the wherewithall to have a legit, working cert and I would
also be tipped off by the non-secure items warning. Though I doubt either
of these facts indicates any true risk to the buyer, it'd be enough to
significantly reduce sales -- browser and plug-in requirements aside.
(And who knows how many sales you'd lose to those requirements.)
I actually like Flash (as a developer and a user) but it is beyond bogus
to use it as a plain form...why? I didn't progress beyond the initial
form, but I doubt Flash is being put to appropriate use beyond that either
- another indicator that this company might not really be totally with
it... either they are lazy or ignorant, maybe both...
Good luck!
--
Kelly Hallman
http://wrack.org/
More information about the thelist
mailing list