[Gloucs] Login site of Worldpay.com
John Cumming
john at jsolutions.co.uk
Thu Dec 1 12:53:41 GMT 2005
Sounds a bit like poor design to me, but it should send your user name and
password encrypted as the ssl connection will be established before the
request is sent ... at least that's my understanding of it.
However, unless you take a good look at the source code, how do you know the
data isn't sent insecurely first and then redirected to the secure site....
like I say bad design.
Another point of 'the key' is that it authenticates the web site.... How do
you know that the web page is from who it says it's from.... you could be
giving anyone your details.
The user should not be expected to have to dicepher the html code before
logging in!
JC
-----Original Message-----
From: gloucs-bounces at mailman.lug.org.uk
[mailto:gloucs-bounces at mailman.lug.org.uk] On Behalf Of Christian Trapp
Sent: 01 December 2005 11:42
To: Gloucestershire LUG
Subject: [Gloucs] Login site of Worldpay.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all!
I know, this is probably off topic, but hopefully, somebody can help me.
I just wondered about the login page for worldpay.com. It is not
encrypted (no https protocol) for the user account, so I wrote them
to make sure it is safe. I got an answer, please read below:
Especially the following part, I think is not true.
= I understand that you are concerned about the security of our
payment page
= and I would like to assure you that even though a padlock icon is not
= displayed, our payment page is still secure. The padlock icon does not
= show when you are navigating a website which uses frames.
After the login page when you have filled in the Username and
Password, you are on a https website with all the account details and
the padlock shows up. That is how it should be. But the information
(username and password) of the login site is visible for everybody on
the internet and can be used to login and modify or steal informations
there. I don't think this makes sense. The other thing is, I cannot
see in the source code of that site, that it has frames anyway. There
is a java script that makes it probably safe. But normally everybody
is advised not to fill in websites that does not showes a padlock.
You find the site here
http://www.worldpay.com/shopper/index.php?page=account
So my questions probably someone can answer: Is this statement above
true, that even without the padlock nobody can get the username and
password while transmitted over the internet? Is it true the site is
safe probably through this java script?
If this subject is too off topic, please ignore it and I apologize.
For any answers and ideas thank you in advance.
Best regards
Christian
- --
This is a signed email, and the signature allows a recipient to check
that I am, indeed, the author.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDjuF/DcwkxcFMxHURAthBAJ9vQ5POh3ffdRPO6eh0E4VUVe7BHgCggR6L
N2goReAixuEhKp59oP9nIIk=
=Qpwx
-----END PGP SIGNATURE-----
_______________________________________________
gloucs mailing list
gloucs at mailman.lug.org.uk
http://mailman.lug.org.uk/mailman/listinfo/gloucs
Virtual IRC meets every Sunday 8-10pm in #glug on irc.slashnet.org
More information about the gloucs
mailing list