Click here to go to the forum index Click here for the home page
 
Author Message

<  New users start here  ~  Secure connection on Turbosat.com?

Page 1 of 1
mm
Posted: Fri Apr 29, 2005 9:11 am Reply with quote
Joined: 29 Apr 2005 Posts: 19
This is my first post! I don?t want to start a panic, I hope that someone can put my mind at ease.

I have a security concern about the Turbosat website.

I got distinctly worried when I started filling in the online ordering process and it requested sensitive information (address, card holder name etc.) on an insecure page (HTTP rather than HTTPS). I stopped at that point and didn?t take it any further (I am a little paranoid but then I work in IT).

Given that I presume many people on this forum have ordered from the Turbosat website please tell me it does switch to an SSL protected connection at some point or are people trusting that no one is eavesdropping on their payment details?

I presume the ordering system is an in-house development since it is blatantly written in Perl (this information could easily be hidden from me, I don't want to know). Also, I was able to query the system to obtain the operating system type, web server type, installed modules and version information. How to get this potentially security compromising information will be common knowledge to any hacker (it should be easy to hide with the appropriate web server configuration [ServerTokens Prod etc.]).

I'm not a security expert or a nasty hacker but if I can see the potential for security flaws after looking for a few minutes I presume anybody could.

_________________

View user's profile Send private message
nwhitfield
Posted: Fri Apr 29, 2005 9:39 am Reply with quote
Site Admin Joined: 20 Mar 2005 Posts: 9579
The site uses Actinic Catalog, which is a well known and long established e-commerce application, which I've looked at several times for my e-commerce features in PCW.

A lot of the catalog stuff is indeed written in perl; it's a very portable system (with an amazingly clever automated installer too). One of its chief strengths, though not as important now that certificates are much cheaper, is that it incorporates an extremely secure encryption module which allows for the use of a secure Java plug-in at the final stages of the purchasing process, without needing SSL installed and configured on the server.

The banks are happy with that, and don't appear to have raised any concerns over the module during the years its been in use; if they thought there was potential flaw, they'd not allow it to be used to accept information - they're pretty picky.

Catalog can be configured to use SSL, but by providing the alternative, Actinic makes it very easy for a lot of firms to sell online who wouldn't otherwise be able to (you'll see acatalog in lots of shop URLs, which is the giveaway); I have mentioned to them before that I think it could do with more information to reassure people, since the message we often give in magazines is 'look for https.'

As for other module information from the web server, that's not too important. Sure, some dimwitted script kiddies will rely on it. But hiding it in the config isn't going to make a server any more secure if someone's intent upon attacking it. They'll try all the known hacks anyway. Obscurity is no defence.

Anyway, I hope I've reassured you on the shopping front. Actinic Catalog really is safe; I'd recommend it to many people who want to set up a simple shop for a small company. It really is a great solution.

Nigel.
View user's profile Send private message Visit poster's website
mm
Posted: Fri Apr 29, 2005 10:09 am Reply with quote
Joined: 29 Apr 2005 Posts: 19
nwhitfield wrote:
I have mentioned to them before that I think it could do with more information to reassure people, since the message we often give in magazines is 'look for https.'


Exactly so, certificates are de rigueur and to not use them is to risk driving away customers.

A "Powered by Actinic Catalog" link would possibly be reassuring also. If the site had such a link then I wouldn't be asking these questions!

nwhitfield wrote:

Anyway, I hope I've reassured you on the shopping front. Actinic Catalog really is safe; I'd recommend it to many people who want to set up a simple shop for a small company. It really is a great solution.


Sort of but I'd still prefer not to have to given my address and card holder name over an insecure connection (I suppose I'll phone them instead).

Cheers,

mm

_________________

View user's profile Send private message
nwhitfield
Posted: Fri Apr 29, 2005 10:13 am Reply with quote
Site Admin Joined: 20 Mar 2005 Posts: 9579
It won't be an insecure connection; once the Actinic Java app loads, or if you're directed to a secure payment page at the end, the data will be secure.

The Actinic Java app encrypts the data in your browser, and sends it as an encypted order to the server. It's not decrypted until the order is transferred to the PC on which the in-house Actinic software runs, for order processing. So even if someone did compromise the web server, there are no unencrypted card details anywhere, which is more than can be said of some commerce apps.

Nigel
View user's profile Send private message Visit poster's website

Display posts from previous:  

All times are GMT + 1 Hour
Page 1 of 1

Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum