On Tue, Nov 21, 2006 at 08:40:34PM -0000, Rob Malpass wrote:
> I've tried to download some stuff but on the screen that asks for my card details, I receive no https:// and no padlock icon. A quick chat with their tech team told me that it is secure - but without these visible assurances, I'm not so sure. Can anyone who knows more about web security than me (not difficult I grant you) explain how it can be secure without these symbols?
I see https. However they are using a partially encrypted frameset, which is
bloody stupid because browsers will not show the padlock icon unless
/everything/ on the page is encrypted. I can well believe you somehow got to
the same page without the https though. The whole thing reeks of incompetence.
In terms of security, you are probably OK, because your card details are
actually submitted to Worldpay directly, not Tesco (an idiotic choice for a
large company because it looks unprofessional, but a rather good choice if your
developer is the CTO's twelve-year-old...). To verify this in Firefox,
right-click on the card details area and select 'This Frame' -> 'View Frame
Info'. You should see
https://select.worldpay.com/...
Oh, and don't use it. Because they are retarded, and because they use evil DRM.
Long live Emusic.
-- Jamie Webb
