online security ....

DISCLAIMER:
following entry is written with the intent to warn the users to be cautious while providing their sensitive information like credit card details while shopping online. all the analysis and judgement is absolutely based on my "current" knowledge about the whole concept and the readers are requested to make decisions based on theirs.

just few weeks back i was trying to book a movie ticket online and i realized that the site was not secure enough to provide sensitive information (credit card details). i realized that the form was being submitted over plain http instead of secure (https) protocol. my obvious attempt was to manually hit the https version of the URL but it failed. it took me back to the http form. i had to back off the booking plan .... i just prefer to play safe .... not that my credit limit is too high ;) but why take a chance. the theater was one of the reputed ones. i was really surprised coz it had the "Verisign Secure Site Safe Scrypt" logo on it. i clicked on the logo just to verify things, it lead to some auto-generated page for that site which said the site was authentic so that i was guaranteed that the recieving party (for the card information) was the one to whom the site belonged to. but it had some clause at the bottom which said "All information sent to this site, if in an SSL session, is encrypted, protecting against disclosure to third parties." what it implies is that if its not over SSL, you may not be guaranteed security against eavesdropping. that is very convinient, isn't it? this is obviously my interpretation of the statement and everything rest is based on this "assumption".

it is pretty much scary just to imagine that your sensitive information is going in plain text over wire. on second thoughts, i thought probably they must've used some new kinda technology which would encrypt and send even though it appeared to be plain http. i also thought that it could be the case of http upgrading to https (thats possible with http 1.1 though i could not entirely understand how it works) but then i tried submitting the form .... still there was no sign of https.

the only option left was to try capturing the raw packets just before they leave my machine. i verified that the information was going unencrypted by capturing few packets using a packet sniffer. well i wasn't much surprised to see the information flowing in clear text in the request packet .... i was expecting it, but just wanted to make it sure. its really very dangerous. i immidiately sent mail to theater authorities but there was no response. as far as the logo(certificate of authenticity) issuing authorities are concerned they have clearly mentioned that if not over SSL, it may not be safe. now usually anyone wouldn't look into details once we spot the security logo. but then its our mistake that we simply assume that everything is safe.
also i feel that the authorities should have issued certificate of genuine party / authenticity but safe scrypt could be misleading.

well is it the user , is it the certification/ logo authority or is it the theater authority to be blamed ... im not sure but the user would surely suffer if somebody exploits such flaws.

so before you provide such information, always ... always watch out for
1) https protocol
2) certificate information (giving public key of the party)
just to make sure its safe, at least going in the encrypted form.


- signing off
ameyas7