Don't trust SSL!



  • You shouldn't trust SSL, according to the National Tap Ensemble's old FAQ Page:

    "I would like to sign up online but your website has no security (such as SSL), so I cannot enter my credit card details on to it."</font>

    Incorrect. This is a professional, highly-respected organization so if we state that you can safely send an online transaction, you can. This site is secure. For your safety (and our peace of mind) we do not use "standard" security procedures such as SSL- which only secures PART of the process - but proprietary protocols which we won't disclose in detail here but permit immediate transfer of any data you submit to a completely secure location. In other words the data never stays on a server "floating in cyberspace" which allows us to keep potential malfeasants in the dark. One of the TRUE signs of a secure and/or encrypted transaction is NOT just a SSL "certificate" on a web page (those can just be bought, some are actually completely fake) or whatever your browser says to make you THINK that a site is "secure" (these schemes only enrich the Verisigns of the world) but the "shtml" part of a URL, which if fact you DO see in the URL immediately after you click "register" or "submit" on this site. For the record we have processed thousands of registrations and purchases over the years and I have never had one problem. However if you still have any doubt, you always have the option of printing a form and faxing it. That will delay its processing but the job will eventually get done.

    Thanks go to The Web Application Hacker's Handbook for starting me on the search to find that quote. :)



  • "floating in cyberspace"... briljant!



  •  You know, it's scary thinking that people have actually used their credit card number at this site...

    Incorrect. This is a professional, highly-respected organization so if we state that you can safely send an online transaction, you can. This site is secure.

    Haha, love their perfectly logical and flawless reasoning here.



  • One of the TRUE signs of a secure and/or encrypted transaction is NOT just a SSL "certificate" on a web page (those can just be bought, some are actually completely fake) or whatever your browser says to make you THINK that a site is "secure" (these schemes only enrich the Verisigns of the world) but the "shtml" part of a URL, which if fact you DO see in the URL immediately after you click "register" or "submit" on this site.

    Actually shtml extension has nothing to do with secure connection; in default configuration it indicates use of SSI, Server Side Includes, mechanism to generate page on server side.



  • @jnareb said:

    Actually shtmlextension has nothing to do with secure connection; in default configuration it indicates use of SSI, Server Side Includes, mechanism to generate page on server side.

    Jeez, man! Do we have to start some sort of clue bank so we can loan them out to you people?



  • @bstorer said:

    Jeez, people! Do we have to start some sort of clue bank so we can loan them out to people?

    I think due to the housing market crash, all banks have dumped their clue funds, so it's virtually impossible to get a clue now.



  • Oh jeez.  They really have no idea what they're talking about, do they?

    And if they can make money... 



  • @AbbydonKrafts said:

    @bstorer said:
    Jeez, people! Do we have to start some sort of clue bank so we can loan them out to people?

    I think due to the housing market crash, all banks have dumped their clue funds, so it's virtually impossible to get a clue now.

    You're right, of course. We'll have to pass the collection plate ourselves. Here you go, jnareb:
    [img]http://www.hasbro.com/common/images/products/000451751820_main400.jpg[/img]
    Although, this one may be more to your needs:
    [img]http://www.hasbro.com/common/images/products/004091c13c50_main400.jpg[/img]



  • It's a good thing I never trusted that tricky SSL thing.  You can't even see what it's doing to your unixes when you look at it in tcpdump! 

    # The totally secure way to log in: 

    rlogin remote.example.com -c "cat secure.shtml; exec sh -s"

     



  • <meta name="GENERATOR" content="Microsoft FrontPage 5.0">

    Yes clearly they are using superior technology. Why would I ever doubt them!?

    Is it me or is that not only a stupid FAQ answer but an extremely rude one as well?

     



  • @medialint said:

    <meta name="GENERATOR" content="Microsoft FrontPage 5.0">

    Yes clearly they are using superior technology. Why would I ever doubt them!?

    Is it me or is that not only a stupid FAQ answer but an extremely rude one as well?

     

    I was thinking that it sounds more arrogant than anything, in a "ha ha I know more than you" way.



  • I am surprised they didn't start extolling the benefits of using frames.



  • It's all a sham to line the pockets of VeriSign and Thawte!  You dorks totally fell for it!

    Seriously though, there appear to be many otherwise intelligent people who seem to have nothing better to do than to publicly rail against industry standards like SSL and XML *coughatwoodcough*.  Sometimes I wonder if they really believe what they say or if they're just trying to make themselves feel like trailblazers.



  • @WeatherGod said:

    I am surprised they didn't start extolling the benefits of using frames.
     

    the quote said they weren't going to get into details of how their "secure thingy" worked.

     

    offtopic: what's up everyone? I'm baack! -for this week at least- 



  •  Of course! Unencrypted traffic between you and the server is not the problem, its that those damn communists on the server admin teams are sending out your information and letting it all float around in cyberspace. Yes thats it!

     

    I love it when people re-invent the wheel... Don't you need something round? Nonesense, our professional cubes are superior to wheels that skid when its wet and don't have eight pointy angles which leave your car just rolling down the road instead of sitting in one spot!



  • disregard this edited post.-



  • @rbowes said:

    Thanks go to The Web Application Hacker's Handbook for starting me on the search to find that quote.
    Is the book any good?

     

    Glowing reviews on amazon.com... http://www.amazon.com/review/product/0470170778 



  •  Daid, you may find "floating in cyberspace" fun, but I really get a charge out of:

     @Idiots said:

    In other words the data never stays on a server "floating in cyberspace" which allows us to keep potential malfeasants in the dark.
     

     Malfeasants! Pure class. They may have failed networking, but their vocabulary is splendorous.



  • @WeatherGod said:

    I am surprised they didn't start extolling the benefits of using frames.

    Frames don't hold a candle to some of the WTFs in this site... The text in the buttons doesn't actually remain in the buttons, spilling out onto the white background where it has to be selected to be read, the text size is too big on Firefox and looks like an "I can read too!" book for preschoolers, the "Welcome" line features marquee text, the highlighted text comes in the most attrocious color scheme I have yet to see (red on yellow), and the headers come in yellow on red (which is not that much better, but at least it doesn't burn my eyeballs out). The only thing its missing is embedded MIDI and animation abuse. Let's open up the hood...

    Made by Frontpage Express, with not even enough care to fill in the description or keywords meta fields. Or the ALT text on any of the images. God help you if you visit this page in Lynx, because to the National Tap Dance Copmany you don't deserve to navigate their site. Which is a pity because I'm pretty sure it's the only way most people could stomach it. Also, all of the email addresses are muxed, which I guess is standard practice nowadays but I personally find it funny that a professional organization which is so powerful hackers fall to naught at their mere word would openly admit that they've had difficulties with script kiddies running google bots to harvest spam addresses. Surely they'd blame the fact that their front page is a mere .htm (not even .html!).



  • @rbowes said:

    You shouldn't trust SSL, according to the National Tap Ensemble's old FAQ Page:

    "I would like to sign up online but your website has no security (such as SSL), so I cannot enter my credit card details on to it."</FONT>

    Incorrect. This is a professional, highly-respected organization so if we state that you can safely send an online transaction, you can. This site is secure. For your safety (and our peace of mind) we do not use "standard" security procedures such as SSL- which only secures PART of the process - but proprietary protocols which we won't disclose in detail here but permit immediate transfer of any data you submit to a completely secure location. In other words the data never stays on a server "floating in cyberspace" which allows us to keep potential malfeasants in the dark. One of the TRUE signs of a secure and/or encrypted transaction is NOT just a SSL "certificate" on a web page (those can just be bought, some are actually completely fake) or whatever your browser says to make you THINK that a site is "secure" (these schemes only enrich the Verisigns of the world) but the "shtml" part of a URL, which if fact you DO see in the URL immediately after you click "register" or "submit" on this site. For the record we have processed thousands of registrations and purchases over the years and I have never had one problem. However if you still have any doubt, you always have the option of printing a form and faxing it. That will delay its processing but the job will eventually get done.

    Thanks go to The Web Application Hacker's Handbook for starting me on the search to find that quote. :)

    Yipes. Back in December, I found out that a bus company had finally taken a shot at e-sales. Imagine my surprise when, after choosing my seat, I find myself on a plain-old http:// site asking for my CC details. Whoopsie! I e-mailed them about this, and they answered the common spam-can answers "We'll look into it". Except ... they actually did it. If you do buy a ticket from their site now, it will still ask for your address in a plain unencrypted site, BUT the actual CC transaction is done by a pass-through service by an actual bank. Kind of the lazy mans solution, but at least your CC details ain't floating out there.

    This other site, however, would be blacklisted in my mind if they can't even know the difference between http and html. Sounds like those guys who tell me "my internet is broken!" when it is only the browser (usually IE) barfing.



  • @danixdefcon5 said:

    Yipes. Back in December, I found out that a bus company had finally taken a shot at e-sales. Imagine my surprise when, after choosing my seat, I find myself on a plain-old http:// site asking for my CC details.
     

     

    My ISP still emails me a plaintext email receipt... complete with my entire SSN and CC number in it.  My company has the contract for rebuilding our City's website....but they "know" technology so they don't need input from a company like us that doesn't even offer internet service...

     

    Regarding OP: I suspect clueless manager brought a concerned email from a customer to their 'tech' who then BSed their way through the conversation and it ended up in a faq.



  • @danixdefcon5 said:

    .

    tl;dnr

    Please do not quote the entire op when replying. We have all read it.



  • @curtmack said:

    Frames don't hold a candle to some of the WTFs in this site...
    Which site?  When you started, I thought you were going to talk about TDWTF.

    @curtmack said:

    God help you if you visit this page in Lynx, because to the National Tap Dance Copmany you don't deserve to navigate their site.
    What?

     



  • @merreborn said:

    @rbowes said:

    Thanks go to The Web Application Hacker's Handbook for starting me on the search to find that quote.
    Is the book any good?

     

    Glowing reviews on amazon.com... http://www.amazon.com/review/product/0470170778 

    Not sure yet, just started. The first two chapters are promising, though. Send me a message/email in a month and I'll tell you. :)



  • @curtmack said:

    God help you if you visit this page in Lynx...

     

    God help you indeed if you have to use Lynx.  Otherwise, you're probably some self-flagulating martyr unix/linux nerd in fierce defiance of GUIs.



  • And it seems that they've even given up on their super-secure shtml pages: http://www.usatap.org/orderstandard.htm still requires your CC info. But never worry:

    <font face="arial, Arial, Helvetica"><font size="3">Your order is processed through a secure server and your can safely use this form.
    And if all else fails
    What some people do is double-check their card info and email the correct info to our Registrar (main staff email address here. Feel free to do this in a couple different emails for safety
    .</font></font>



  • @BlisteringSheep said:

    And if all else fails
    What some people do is double-check their card info and email the correct info to our Registrar (main staff email address here. Feel free to do this in a couple different emails for safety
    .</font></font>

    Well, the amusing bit is, that is exactly what their form does! If you look at the HTML source of the page, the first glaring WTF is the standard FrontPage "email to user" WebBot comment at the top of the form! (The second being that their privacy policy is a file:// link)



  • Look at that code snippet taken from a page:

    <p><big><big><big><big><big><big><big><big><big><big><big><big><big><big><big> <big><big><big><big><big><big><big><big><big><big><big><big> <big><big><big><big><big><big><big><big><big><big><big><big><big><big><big><big> <big><big><big><big><big><big><big><strong><font size="2" color="#000080">
            <br>
            </font></strong>
            </big></big></big></big></big></big></big></big></big></big></big></big></big></big> </big> </big></big></big></big></big></big></big></big></big></big> </big></big></big></big></big></big></big></big></big></big></big></big></big></big></big> </big> </big></big></big></big></big></big></big></big></big><font color="#0000FF" face="Arial, Arial, Helvetica">
            <span style="background-color:#FFFF00">Items ordered</span></font></p>



    LOL?


  • @Soviut said:

    God help you indeed if you have to use Lynx.  Otherwise, you're probably some self-flagulating martyr unix/linux nerd in fierce defiance of GUIs.

    And you are an uninformed fool. Lynx is a good way to check the page flow, as well as see how it will look on devices that have a text-only browser. The page flow is important for text-to-speech apps for people who have certain disabilities (or just want to be lazy).



  • @Soviut said:

    God help you indeed if you have to use Lynx.  Otherwise, you're probably some self-flagulating martyr unix/linux nerd in fierce defiance of GUIs.

    Or maybe you're working over an SSH connection. Or maybe you're checking that the page degrades properly. Who knows?



  • Ok I did have this really cool post idea for this topic where I was going to post the HTTP request for this page, but then I looked at the data in a HTTP post for these comunity server forum forms... Now that is the WTF in itsself is comunity server seems to post EVERY possible tag. So see my tag below :D



  • @spacix said:

    Now that is the WTF in itsself is comunity server seems to post EVERY possible tag.

    Old news. Get with the times. Why do you think some of us have scripts that auto-populate it with a randomly generated Exception tag?



    The script also gives us the current stats:



    TagExceptions: 1714, Bytes: 88335, All Tags Bytes: 297166



  • @spacix said:

    Ok I did have this really cool post idea for this topic where I was going to post the HTTP request for this page, but then I looked at the data in a HTTP post for these comunity server forum forms... Now that is the WTF in itsself is comunity server seems to post EVERY possible tag. So see my tag below :D

     

    I have found it works if you open your eyes when reading the forums. 

    Then you wont make 'discoveries' that the rest have been talking about continually. There is even a whole thread and a series of scripts to exploit this on this forum.



  • @MasterPlanSoftware said:

    I have found it works if you open your eyes when reading the forums. 

    Then you wont make 'discoveries' that the rest have been talking about continually.

    Hey, did you know if you disallow replies to your post, it gives the thread a lock icon?



  • @AbbydonKrafts said:

    Old news. Get with the times. Why do you think some of us have scripts that auto-populate it with a randomly generated Exception tag?
    Didn't notice till now, nor cared about the random posting. We should just start adding FBI watchlist words :D



  • @bstorer said:

    Hey, did you know if you disallow replies to your post, it gives the thread a lock icon?
     

    Hey, did you know that it won't allow you to reply to my post either when I do it? But it will allow to reply to other posts that haven't been locked!

     

    OMGWTFBBQ!



  • @spacix said:

    We should just start adding FBI watchlist words
     

    You may want to actually spell some of those works at least KIND OF correctly.

    "Conterfit" ?

    I hope the FBI has a flexible crawler!



  • @MasterPlanSoftware said:

    I hope the FBI has a flexible crawler!
    Yea, they have the best OCR software, wooden table, cammera, and a custom version of swap's desktop search app which money can buy. They just print each web request that goes to their server and capture its image on the wooden table and the it is added to the flat file by the OCR software.



  • @bstorer said:

    @Soviut said:
    God help you indeed if you have to use Lynx.  Otherwise, you're probably some self-flagulating martyr unix/linux nerd in fierce defiance of GUIs.

    Or maybe you're working over an SSH connection. Or maybe you're checking that the page degrades properly. Who knows?

    Are you making these answers up, Mr Bstorer? Or they are written up for you?

     



  • @alegr said:

    Are you making these answers up, Mr Bstorer? Or they are written up for you?
     

    Oh noes! Copyright! Plagarisms!



  • @MasterPlanSoftware said:

    @alegr said:

    @bstorer said:

    @Soviut said:
    God help you indeed if you have to use Lynx.  Otherwise, you're probably some self-flagulating martyr unix/linux nerd in fierce defiance of GUIs.

    Or maybe you're working over an SSH connection. Or maybe you're checking that the page degrades properly. Who knows?

    Are you making these answers up, Mr Bstorer? Or they are written up for you?

     

     

    Oh noes! Copyright! Plagarisms!

    Let me tell you about my mother...

     



  • @alegr said:

    Let me tell you about my mother...
     

    Wow. I didn't think you could make any less sense than the post before this, but you succeeded.

    Bravo!



  • @MasterPlanSoftware said:

    @alegr said:

    Let me tell you about my mother...
     

    Wow. I didn't think you could make any less sense than the post before this, but you succeeded.

    Bravo!

    I hate to pretend you didn't get it, but it starts with:

    @bsrorer said:

    Or maybe you're working over an SSH connection. Or maybe you're checking that the page degrades properly. Who knows?

    Holden: Maybe you're fed up. Maybe you want to be by yourself. Who knows? You look down and see a tortoise, Leon. It's crawling toward you...



  • @alegr said:

    Holden: Maybe you're fed up. Maybe you want to be by yourself. Who knows? You look down and see a tortoise, Leon. It's crawling toward you...
    And then the tortoise goes all rabit-from-Monty-Python on you and you're bleeding on the asphalt.  Next time you WILL RESPECT THE TORTOISE.




  • @alegr said:

    I hate to pretend you didn't get it, but it starts with:

    @bsrorer said:

    Or maybe you're working over an SSH connection. Or maybe you're checking that the page degrades properly. Who knows?

    Holden: Maybe you're fed up. Maybe you want to be by yourself. Who knows? You look down and see a tortoise, Leon. It's crawling toward you...

    To paraphrase Mr. TheKing: What the fuck are you babbling about, bitch?



  • @bstorer said:

    @alegr said:

    I hate to pretend you didn't get it, but it starts with:

    @bsrorer said:

    Or maybe you're working over an SSH connection. Or maybe you're checking that the page degrades properly. Who knows?

    Holden: Maybe you're fed up. Maybe you want to be by yourself. Who knows? You look down and see a tortoise, Leon. It's crawling toward you...

    To paraphrase Mr. TheKing: What the fuck are you babbling about, bitch?

    It's a reference to Blade Runner:

    http://www.devo.com/bladerunner/sector/2/interrogation.html 



  • @bstorer said:

    Hey, did you know if you disallow replies to your post, it gives the thread a lock icon?

    Would explain the flickering "lock" icons I've seen on some of the threads.



  • Jay and Silent Bob Strike Back is the epitome of humor and Blade Runner is completely unknown. You guys make me feel about 50 years older than I am.



  • @Cap'n Steve said:

    Jay and Silent Bob Strike Back is the epitome of humor and Blade Runner is completely unknown.
    I think all pstorer is saying is that a tag would have helped.  I used a tag the first time I made the WTFAYBBO comment.  The WTFAYBBO comment is used not because it's funny but because it so perfectly describes the poster's reaction to certain posts.

    Bladerunner was released the year I was born, so yeah, feel old.

    Many on the forums have made comments based off of Monty Python.  They're old too :)



  • @bstorer said:

    Or maybe you're working over an SSH connection. Or maybe you're checking that the page degrades properly. Who knows?

    I'm still curious, was it random coincidence, or intentional reference to Blade Runner?

     


Log in to reply