[Gloucs] Login site of Worldpay.com

Sam *Turtel* Barker turtel at turtel.plus.com
Thu Dec 1 12:46:18 GMT 2005 

I'm not entirly sure but I think because the form target is a https url
then it should be ok. In that a ssl session is probably established to
submit the form but the page from which it is submitted does not need to
be HTTPS. Having said that it would probably be better if it was...

Sam

On Thu, 2005-12-01 at 11:41 +0000, Christian Trapp wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello all!
> 
> I know, this is probably off topic, but hopefully, somebody can help me.
> 
> I just wondered about the login page for worldpay.com. It is not
> encrypted (no https protocol) for the user account, so  I wrote them
> to make sure it is safe. I got an answer, please read below:
> 
> Especially the following part, I think is not true.
> 
> = I understand that you are concerned about the security of our
> payment page
> = and I would like to assure you that even though a padlock icon is not
> = displayed, our payment page is still secure.  The padlock icon does not
> = show when you are navigating a website which uses frames.
> 
> After the login page when you have filled in the Username and
> Password, you are on a https website with all the account details and
> the padlock shows up. That is how it should be. But the information
> (username and password) of the login site is visible for everybody on
> the internet and can be used to login and modify or steal informations
> there. I don't think this makes sense. The other thing is, I cannot
> see in the source code of that site, that it has frames anyway. There
> is a java script that makes it probably safe. But normally everybody
> is advised not to fill in websites that does not showes a padlock.
> 
> You find the site here
> http://www.worldpay.com/shopper/index.php?page=account
> 
> So my questions probably someone can answer: Is this statement above
> true, that even without the padlock nobody can get the username and
> password while transmitted over the internet? Is it true the site is
> safe probably through this java script?
> 
> If this subject is too off topic, please ignore it and I apologize.
> For any answers and ideas thank you in advance.
> 
> Best regards
> Christian
> 
> 
> - --
> This is a signed email, and the signature allows a recipient to check
> that I am, indeed, the author.
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFDjuF/DcwkxcFMxHURAthBAJ9vQ5POh3ffdRPO6eh0E4VUVe7BHgCggR6L
> N2goReAixuEhKp59oP9nIIk=
> =Qpwx
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> gloucs mailing list
> gloucs at mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/gloucs
> Virtual IRC meets every Sunday 8-10pm in #glug on irc.slashnet.org

More information about the gloucs mailing list