Monday, November 27, 2006

So much for security!

If you are booking online on Spicejet, beware.
The lovely site which says verisign secured etc. actually sends all your credit card information as a query string!
So much for SSL!

I had written to them around 2 months back and it still remains the same!

5 comments:

Chris Leishman said...

Actually, SSL will still protect the data transfer regardless of if it's in a query string of a URL or in a POST request. The only concern is that your local browser might save the full URL it's history - so don't log in from a public machine I guess.

Narayan Raman said...

Yes. The issue is with the browser history showing it. Easily fixable, if they had wanted to.

Huw Lewis said...

The other problem is that the URLs will be recorded on the server in the plain text server access logs. Therefore anyone who has access to these will have access to all the credit card details even if they are encrypted in the main database.

Chris Leishman said...

True, although at that point your still outside the SSL session, so it's really a question of process on the companies side and you just have to trust them no matter. They could still log POST requests, or maybe not encrypt numbers in the DB for all we know. Or perhaps they've 'fixed' thais issue by turning off logging.

santhosh said...

This problem is everywhere, companies are least bothered with security and by putting SSL secured they make people think its very secure, in the end, i found a similar problem with Hutch site (may be worse than this !!) , check my blog entry at http://santhosh-shrugged.blogspot.com/2006/12/hutch-and-security.html