[thelist] I can't believe what I just read....

Lumir G Janku lgjanku at w3matrix.com
Thu Oct 19 12:50:38 CDT 2000

Actually, VeriSign/Signio use the same method for merchant id, except you 
don't need to pass the amount as hidden varieble, but you certainly can. 
However, when the merchant sets up the gateway parameters on the VeriSign 
end, they specify the url that the form is accepted from. So, it you try to 
spoof the form and send it from an untrusted server, you are SOL. I assume 
these guys have a similar setup.

>At 04:10 PM 10/18/2000, you wrote:
>>on 10/18/00 1:09 PM, Anthony Baratta at Tony at IdeaSystems.com wrote:
>> > http://www.rtware.net/weblink.html
>My point with the incredulous-ness of the service is that you are 
>embedding your login name AND price using hidden fields in the form!!! SSL 
>or not, this is NOT secure. Not by a long shot.
>I can't believe that this is even considered a viable solution. I'm the 
>last person to ask about security (OK maybe not last, but I don't play a 
>security expert on TV.) and this seems so full of holes that I'm dumb 
>founded - versus struck dumb like some people would prefer me. ;-)
>I'll slink away and say no more if you think I'm smoking crack.
>Anthony Baratta
>Keyboard Jockeys
>For unsubscribe and other options, including
>the Tip Harvester and archive of TheList go to:
>http://lists.evolt.org Workers of the Web, evolt !

More information about the thelist mailing list