Originally posted by xoggoth
View Post
Basically SSL is a way of securely encrypting personal data. So, as a rule of thumb, you should never enter credit card details on a site which isn't running SSL (as pg politely pointed out, in 99% of cases you see the https and padlock logo in the address bar.)
In the ideal world, all personal details (names, addresses, passwords) would be encrypted.
In the case of your site (assuming it's the one you've posted links to in the past) you're capturing name and address details over a non-secure connection, so someone could potentially 'listen' to the traffic and steal those details. You're redirecting to worldpay to get your payment details, and they are running SSL, so your customers' card details are safe.
Some sites with logins (like CUK) don't use SSL either - I'm guessing that actual passwords aren't sent, but instead a hash of the password, which is compared to a stored hash in the database. Session ids are probably thrown into the mix too, so that the hash is a combination of password and sessionId and changes as sessions expire. In theory that makes it hackable - by listening to the network traffic I could steal the hash of your password and fake a login to your session, but I couldn't actually get hold of your password. To do serious damage, I guess we'd have to steal admin's account
Leave a comment: