Help - Search - Members - Calendar
Full Version: AutoAtlanta
914World.com > The 914 Forums > 914World Garage
stateofidleness
Just made my first order with AutoAtlanta and noticed that, once you go to checkout, for new customers where you fill out your Shipping and Billing as well as credit card info, the page is not a secure page??

So.. I would advise that if you are making a purchase with them, add an "s" after the "http" in the address bar before filling out the form.

computer security major... kinda bugs me when i see stuff like that... so just a heads up

maybe the AA webmaster can fix this wink.gif would take all of 2 seconds

anyways, can't wait to get the stuff!!
biosurfer1
wow, that suprises me. When we got our SSL it automatically updated links to https... I would never fill out anything without that little lock in the bottom right!
Jason.H
Hi Guys!

Manually creating a secure connection for that page is not necessary. All of your information is submitted through SSL to a separate handler, not that page. Once you fill in the form and hit submit, it's sent through a secure connection.

To ease worries though I made that page secure also. Sorry to get you guys worried!


Best regards,
Jason Humphrey
Auto Atlanta
770.427.2844 ext. 12
plymouth37
Well that was quick! Thanks Jason!
stateofidleness
Wow jason, thanks for the fix.
I think by not being an SSL page when entering the information leaves it susceptible to being spoofed more easily? Because, someone won't know they're "secure" until they hit submit might deter some people. It would be harder to spoof an ALREADY SSL encrypted page than it would be to spoof the current page.

Just throwin that out there, but awesome turn-around.

OT: hey jason, do ya'll have company stickers or logos? I like to show support for who is aiding me in this addiction lol
ericread
agree.gif

I think the original post was excellent in bringing a potential security issue to light to all of us. The response form AA (Jason) was great.

Thanks to all! smilie_pokal.gif
Jason.H
QUOTE(stateofidleness @ Jun 12 2008, 08:33 AM) *

Wow jason, thanks for the fix.
I think by not being an SSL page when entering the information leaves it susceptible to being spoofed more easily? Because, someone won't know they're "secure" until they hit submit might deter some people. It would be harder to spoof an ALREADY SSL encrypted page than it would be to spoof the current page.

Just throwin that out there, but awesome turn-around.

OT: hey jason, do ya'll have company stickers or logos? I like to show support for who is aiding me in this addiction lol



No problem. Any time you come across something that seems odd, or you have a question, you can let me know directly: jason<!at!>autoatlanta.com

Generally SSL is more for sniffers than spoofing. Spoofing would be if someone got you to go to a malicious website designed to look like ours with the intent of collecting your information. Anyone with a few bucks can have an SSL set up so having https won't make much difference. Heck, when was the last time you inspected the security certificate issued by the server?

Sniffers are designed to pull packets from the network for inspection. The packets carry the information you filled into the form. A secure connection encrypts the transmission so that anyone listening in can't tell what's being said, at least that's the idea.

Again, the transmission has always been encrypted, I just made it a bit more obvious.

I'm not sure if we have much in the way of stickers. I'll see if I can dig something up, otherwise I'll put it in the suggestions box.

SirAndy
QUOTE(Jason.H @ Jun 12 2008, 11:57 AM) *

Heck, when was the last time you inspected the security certificate issued by the server?

this morning ... biggrin.gif


but then again, i work in that industry. the every day user probably does not even know how to check the validity of a SSL certificate ...
type.gif Andy
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2025 Invision Power Services, Inc.