First off: I really like Archie Mcphee. They have awesome, fun stuff and you should go there right now and buy a cool gift for someone for the upcoming Christmas season. But I found a Web security expert there who graduated from WTF University.
A few months back, I attempted to purchase a gift certificate from Archee McPhee’s wonderful online store, McPhee.com. In the middle of filling out the form, formerly located at http://mcphee.com/info/gc.html, I noticed that it had fields for credit card information; however, a quick glance at the URL showed me that there was no SSL connection, and thus any info I’d submit would’ve been in the clear for any enterprising person to snatch. So I started a conversation with Mr. Archee McPhee, who served as a very helpful and friendly go-between for me and their IT person. After explaining to their IT person that credit card information submitted via plain old port 80 HTTP is as naked as a newborn, the IT person replied thusly:
“the gc buy page is NOT secure, in that it doesn’t use SSL, but in this case it doesn’t matter. this particular page kicks off a script on the server which then transfers the information to us via an encrypted email. no credit card information is ever passed on via HTTP, therefore the SSL certificate doesn’t come into play. A sniffer would have to be running on our actual server, since no internet traffic is generated by the form post. In fact, the gc.html page does not even touch the cookie.”
Those of you who are familiar with how the web works will see the flaws in this logic right away. Basically, it’s like a waiter at a restaurant putting my credit card information in their protected safe while taping a copy of the information to the front door.
Thankfully, they have taken down their online gift certificate ordering page. Hopefully they will put up a secure form soon so I can resume giving the gift of bacon strip bandages, bobblehead Jesus dolls, and avenging unicorn playsets. Despite my experience, I still highly recommend Archie McPhee – don’t let this post stop you from buying stuff from them!
And here is an interesting related post from spugbrap.