Re: aa.com not encrypting customer transaction data (KMM508728C0KM)

["Karsten W. Rohrbach" <karsten () rohrbach de>]

being a paranoid person i traced my browser and did a tcpdump of a
ticket ordering session. indeed, most of the pages are transmitted over
unencrypted http, but the personal information, including credit card
numbers, are transmitted over http/ssl.

but, please, read on.

excerpt from the order form:
    <!-- X-URL: http://www.im.aa.com/American -->
    <!-- Date: Tue, 18 Sep 2001 16:20:22 GMT -->
    <BASE HREF="http://www.im.aa.com/American";>
[...]
    <FORM ACTION="https://www.im.aa.com/American"; METHOD=POST >

(this is the page where you fill in your credit card number for
purchasing a ticket.)

the following page that is generated from the ssl encrypted connection
contains a simple redirect in meta http-equiv fashion which loads the
unencrypted results page.

excerpt from the return page:
    <!-- X-URL: https://www.im.aa.com/American -->
    <!-- Date: Tue, 18 Sep 2001 16:16:23 GMT -->
    <BASE HREF="https://www.im.aa.com/American";>
[...]
    <META http-equiv="refresh" content="0;url=http://www.im.aa.com/American?
[...]

conclusions:

1) personal and credit card information appears to be safe

2) chris, you probably use a proxy for ssl connections? i could not
   find a single point where my credit card number was transferred over
   the net in unencrypted form

3) although this seems to provide a certain level of privacy and
   security, i would advise american airlines to switch to single
   session http/ssl with no in-session protocol change/redirects.
   this because of the full disclosure of the booked flight data (flight
   number, departure date, stops,...) to in-between systems which
   enables foreign entities who can tap the line to find out the
   customer's flight schedule for his bookings.

imagine: what would happen if a (terrorist) organisation would employ a
passive filtering system (-> much like carnivore) watching for your name
and associated web application session. they would not know your diners
card number, but they know the flight you will be on. placing a passive
filter onto the wired would not pose a big challenge, IMVHO.

AA Webmaster(webmaster () aa com)@2001.09.18 07:41:33 +0000:
> Hello Devi and Chris,   
[useless newbie tutorials deleted]
> To prevent unauthorized access, maintain data accuracy, and ensure the 
> correct use of information, we have put in place appropriate physical, 
> electronic, and managerial procedures to safeguard and secure the 
> information we collect online. 

not entirely, as i stated above

> We also participate in the Council of Better Business Bureaus' 
> BBBOnline® Privacy Program, and comply with all the BBBOnline privacy 
> standards.  Further information about this program is available at 
> http://www.bbbonline.org. 

apparently, the bbbonline test process appears to be not as secure as
advertised, them having not thoroughly analyzed aa's www based
application for ticket ordering.

> If you wish to automatically be notified when entering or leaving a 
> secure server at our site, you may modify your browser settings to alert
> you when these actions occur.  Please contact your Internet Service 
> Provider or browser manufacturer if you need assistance.

this is, of course true, but will not make any difference in disclosing
the flight schedule data, as it appears to be at the moment.

take care,
/k

-- 
> Markets are self-correcting. That's why I trust markets more than
> governments. Governments usually aren't self-correcting, until too late. 
> --Interview with Walter Wriston as reported in Wired 4.10 
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch () spam de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 BF46
Please do not remove my address from To: and Cc: fields in mailing lists. 10x

Attachment: _bin
Description: