You shouldn't trust SSL, according to the National Tap Ensemble's old FAQ Page:

"I would like to sign up online but your website has no security (such as SSL), so I cannot enter my credit card details on to it."

Incorrect. This is a professional, highly-respected organization so if we state that you can safely send an online transaction, you can. This site is secure. For your safety (and our peace of mind) we do not use "standard" security procedures such as SSL- which only secures PART of the process - but proprietary protocols which we won't disclose in detail here but permit immediate transfer of any data you submit to a completely secure location. In other words the data never stays on a server "floating in cyberspace" which allows us to keep potential malfeasants in the dark. One of the TRUE signs of a secure and/or encrypted transaction is NOT just a SSL "certificate" on a web page (those can just be bought, some are actually completely fake) or whatever your browser says to make you THINK that a site is "secure" (these schemes only enrich the Verisigns of the world) but the "shtml" part of a URL, which if fact you DO see in the URL immediately after you click "register" or "submit" on this site. For the record we have processed thousands of registrations and purchases over the years and I have never had one problem. However if you still have any doubt, you always have the option of printing a form and faxing it. That will delay its processing but the job will eventually get done.

Thanks go to The Web Application Hacker's Handbook for starting me on the search to find that quote. :)

 You know, it's scary thinking that people have actually used their credit card number at this site...

Incorrect. This is a professional, highly-respected organization so if we state that you can safely send an online transaction, you can. This site is secure.

Haha, love their perfectly logical and flawless reasoning here.

One of the TRUE signs of a secure and/or encrypted transaction is NOT just a SSL "certificate" on a web page (those can just be bought, some are actually completely fake) or whatever your browser says to make you THINK that a site is "secure" (these schemes only enrich the Verisigns of the world) but the "shtml" part of a URL, which if fact you DO see in the URL immediately after you click "register" or "submit" on this site.

Actually shtml extension has nothing to do with secure connection; in default configuration it indicates use of SSI, Server Side Includes, mechanism to generate page on server side.

jnareb:

Actually shtmlextension has nothing to do with secure connection; in default configuration it indicates use of SSI, Server Side Includes, mechanism to generate page on server side.

Jeez, man! Do we have to start some sort of clue bank so we can loan them out to you people?

bstorer:

Jeez, people! Do we have to start some sort of clue bank so we can loan them out to people?

Oh jeez.  They really have no idea what they're talking about, do they?

And if they can make money... 

AbbydonKrafts:

bstorer:

Jeez, people! Do we have to start some sort of clue bank so we can loan them out to people?

I think due to the housing market crash, all banks have dumped their clue funds, so it's virtually impossible to get a clue now.

You're right, of course. We'll have to pass the collection plate ourselves. Here you go, jnareb:

Although, this one may be more to your needs:

It's a good thing I never trusted that tricky SSL thing.  You can't even see what it's doing to your unixes when you look at it in tcpdump! 

# The totally secure way to log in: 

rlogin remote.example.com -c "cat secure.shtml; exec sh -s"

<meta name="GENERATOR" content="Microsoft FrontPage 5.0">

Yes clearly they are using superior technology. Why would I ever doubt them!?

Is it me or is that not only a stupid FAQ answer but an extremely rude one as well?

medialint:

<meta name="GENERATOR" content="Microsoft FrontPage 5.0">

Yes clearly they are using superior technology. Why would I ever doubt them!?

Is it me or is that not only a stupid FAQ answer but an extremely rude one as well?

 

I was thinking that it sounds more arrogant than anything, in a "ha ha I know more than you" way.

It's all a sham to line the pockets of VeriSign and Thawte!  You dorks totally fell for it!

Seriously though, there appear to be many otherwise intelligent people who seem to have nothing better to do than to publicly rail against industry standards like SSL and XML *coughatwoodcough*.  Sometimes I wonder if they really believe what they say or if they're just trying to make themselves feel like trailblazers.

WeatherGod:

I am surprised they didn't start extolling the benefits of using frames.

the quote said they weren't going to get into details of how their "secure thingy" worked.

offtopic: what's up everyone? I'm baack! -for this week at least- 

 Of course! Unencrypted traffic between you and the server is not the problem, its that those damn communists on the server admin teams are sending out your information and letting it all float around in cyberspace. Yes thats it!

I love it when people re-invent the wheel... Don't you need something round? Nonesense, our professional cubes are superior to wheels that skid when its wet and don't have eight pointy angles which leave your car just rolling down the road instead of sitting in one spot!

rbowes:

Thanks go to The Web Application Hacker's Handbook for starting me on the search to find that quote.

Glowing reviews on amazon.com... http://www.amazon.com/review/product/0470170778 

 Daid, you may find "floating in cyberspace" fun, but I really get a charge out of:

Idiots:

In other words the data never stays on a server "floating in cyberspace" which allows us to keep potential malfeasants in the dark.

 Malfeasants! Pure class. They may have failed networking, but their vocabulary is splendorous.

WeatherGod:

I am surprised they didn't start extolling the benefits of using frames.

Frames don't hold a candle to some of the WTFs in this site... The text in the buttons doesn't actually remain in the buttons, spilling out onto the white background where it has to be selected to be read, the text size is too big on Firefox and looks like an "I can read too!" book for preschoolers, the "Welcome" line features marquee text, the highlighted text comes in the most attrocious color scheme I have yet to see (red on yellow), and the headers come in yellow on red (which is not that much better, but at least it doesn't burn my eyeballs out). The only thing its missing is embedded MIDI and animation abuse. Let's open up the hood...

Made by Frontpage Express, with not even enough care to fill in the description or keywords meta fields. Or the ALT text on any of the images. God help you if you visit this page in Lynx, because to the National Tap Dance Copmany you don't deserve to navigate their site. Which is a pity because I'm pretty sure it's the only way most people could stomach it. Also, all of the email addresses are muxed, which I guess is standard practice nowadays but I personally find it funny that a professional organization which is so powerful hackers fall to naught at their mere word would openly admit that they've had difficulties with script kiddies running google bots to harvest spam addresses. Surely they'd blame the fact that their front page is a mere .htm (not even .html!).

rbowes:

You shouldn't trust SSL, according to the National Tap Ensemble's old FAQ Page:

"I would like to sign up online but your website has no security (such as SSL), so I cannot enter my credit card details on to it."

Incorrect. This is a professional, highly-respected organization so if we state that you can safely send an online transaction, you can. This site is secure. For your safety (and our peace of mind) we do not use "standard" security procedures such as SSL- which only secures PART of the process - but proprietary protocols which we won't disclose in detail here but permit immediate transfer of any data you submit to a completely secure location. In other words the data never stays on a server "floating in cyberspace" which allows us to keep potential malfeasants in the dark. One of the TRUE signs of a secure and/or encrypted transaction is NOT just a SSL "certificate" on a web page (those can just be bought, some are actually completely fake) or whatever your browser says to make you THINK that a site is "secure" (these schemes only enrich the Verisigns of the world) but the "shtml" part of a URL, which if fact you DO see in the URL immediately after you click "register" or "submit" on this site. For the record we have processed thousands of registrations and purchases over the years and I have never had one problem. However if you still have any doubt, you always have the option of printing a form and faxing it. That will delay its processing but the job will eventually get done.

Thanks go to The Web Application Hacker's Handbook for starting me on the search to find that quote. :)

Yipes. Back in December, I found out that a bus company had finally taken a shot at e-sales. Imagine my surprise when, after choosing my seat, I find myself on a plain-old http:// site asking for my CC details. Whoopsie! I e-mailed them about this, and they answered the common spam-can answers "We'll look into it". Except ... they actually did it. If you do buy a ticket from their site now, it will still ask for your address in a plain unencrypted site, BUT the actual CC transaction is done by a pass-through service by an actual bank. Kind of the lazy mans solution, but at least your CC details ain't floating out there.

This other site, however, would be blacklisted in my mind if they can't even know the difference between http and html. Sounds like those guys who tell me "my internet is broken!" when it is only the browser (usually IE) barfing.

danixdefcon5:

Yipes. Back in December, I found out that a bus company had finally taken a shot at e-sales. Imagine my surprise when, after choosing my seat, I find myself on a plain-old http:// site asking for my CC details.

My ISP still emails me a plaintext email receipt... complete with my entire SSN and CC number in it.  My company has the contract for rebuilding our City's website....but they "know" technology so they don't need input from a company like us that doesn't even offer internet service...

Regarding OP: I suspect clueless manager brought a concerned email from a customer to their 'tech' who then BSed their way through the conversation and it ended up in a faq.

danixdefcon5:

.

Please do not quote the entire op when replying. We have all read it.

curtmack:

Frames don't hold a candle to some of the WTFs in this site...

curtmack:

God help you if you visit this page in Lynx, because to the National Tap Dance Copmany you don't deserve to navigate their site.

merreborn:

rbowes:

Thanks go to The Web Application Hacker's Handbook for starting me on the search to find that quote.

Is the book any good?

 

Glowing reviews on amazon.com... http://www.amazon.com/review/product/0470170778 

Not sure yet, just started. The first two chapters are promising, though. Send me a message/email in a month and I'll tell you. :)