Forgot your password?
typodupeerror
Security

+ - Can an eCommerce Site Without SSL Be Secure?-> 4

Submitted by
Excelcia
Excelcia writes "I recently decided to try out the SecureSpot feature of my router. I signed up for a trial account, decided I liked it, and was about to submit my payment for the service when I noticed something peculiar. The protocol was http, not https. The little lock icon on my browser was grayed, and the browser's information dialog on the site said in no uncertain terms "your connection to this web site is not encrypted". I went back to the original login page for SecureSpot, and it too seems to lack any indication of SSL. I'm a little worried at this point, as the SecureSpot control panel lets me configure my router. Have my family's privacy settings, and worse, have my router settings and passwords all been sent over the wire in the clear? And what about people's credit card numbers? I examined the page source for each page, and they both seem to use a standard html POST with some JavaScript sanity checks. About the only secure element I can see on either page is the VeriSign gold seal they each sport proclaiming the site secure.

BSecure actually runs the service for D-Link, so I e-mailed both of them. D-Link's reply was a terse "the site is secure and your information will not and has not been exposed." My question simply is, is the site secure? And if it is secure, how are people to know it is if your browser can't tell?"

Link to Original Source
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Can an eCommerce Site Without SSL Be Secure?

Comments Filter:
  • Love how D-Link gave you the regular line on how their site is secure. Without using SSL there is no way to make sure your credit card won't be spied upon to their server. Very risky.
  • The only exception is if their router is somehow detecting their web site and SSL-encrypting data going to it without engaging your browser's SSL. However, if they are doing this, they are too stupid for you to trust with your security anyway. The browser is the appropriate point to encrypt important data.

    Don't walk, run away from this. The person who told you this was secure was either incompetent or dishonest, and I certainly wouldn't want to trust such a company with the security of my network.

    Plus, w

    • by Excelcia (906188)
      I thought about the possibility of my router doing some security voodoo, so I disconnected from my router and connected to a neighbour's briefly. I was still able to log in to D-Link's site, and it still showed no sign of SSL anywhere. How about you? When you visit their login page [bsecure.com] do you detect any use of SSL at all?

      While I can walk away from this, if D-Link/BSecure is running an insecure eCommerce site, what about the other people who are sending credit card numbers unprotected?
      • by natehoy (1608657)

        No sign of SSL.

        And, agreed, it needs to be reported. Verisign would be a good start, since DLINK is misusing their logo.

In every non-trivial program there is at least one bug.

Working...