NON-Secure Credit card info transfer from time.com/pathfinder.com

[Bob Niederman <btrq () bob-n com>]

When you go to www.time.com and click on "Order This Special Issue" (over
the picture of the Time cover showing the second crash into the World
Trade center), you are taken to:

https://www.pathfinder.com/subs/books/forms/td/tdspecialed01.html
 


The problem is that while the page 

https://www.pathfinder.com/subs/books/forms/td/tdspecialed01.html

itself is secure, as noted by the "https" at the beginning of the URL,
when you click the "Submit Order" button, the html in that page
reading:

<FORM METHOD="post"
action="http://cgi.pathfinder.com/cgi-bin/magsubs/cc/booksubs/tdspecialed01";>

sends it to a non-secure server, as noted by the "http:" instead of the
"https:" in the preceding URL.

This causes the credit card number to cross the internet in
un-encrypted form.

The browsers I've used on this page (Netscape 4.08 on NT, NS 4.74 on Linux
and Mozilla 0.9.5 on Linux) all popup a window warning the user that this
will happen.  I didn't really believe it, so I started up ethereal, then
went ahead.  Ethereal showed that, indeed, the credit card number did go
across in the clear.  [That credit card account has been closed.;) ] 

I notified via email , then phone, (to help.single () customersvc com and
1.800.274.6800); the phone folks were not clue-full, but referred me to
another number, where they understood my complaint, and told me others had
complained of the popup message from the browsers, but that their
programmers swore up and down that the connection was secure.  I explained
the problem in some detail to that person and sent follow-up email.  So
far, no response other than auto-responder.

These coversations occurred yesterday morning.  This should be easy to
fix, but so far, no response and the page still has this flaw.



- Bob Niederman 

Fight UCITA! http://www.4cite.org, 

Free Dmitry Skylarov.  Repeal DMCA.  http://freskylarov.org  
http://eff.org