(In)Secure Purchases: Part II

A follow up to my post about insecure purchases.
Tuesday, October 25, 2005

This is a follow-up to a prior post.

the site is secure we promise. i don’t know why the little padlock doesn’t come up (i’m assuming thats what you are referring to) you are more than welcome to call and place an order if you would like. 212-414-4533. ask for Joe or Steve. you can just give them your credit card info and then email your order to this email with mailing addy, etc.
thanks for your support of frenchkiss.

That was the response I received from French Kiss Records when I sent them a somewhat angry email about trying to sell records on the Internet without a secure server (read about Insecure Purchases).

At this point, I was taken back a bit, thinking, “no matter how much you promise your site is secure, it is not unless I see the ‘little padlock,’” and I was ready to send them back an even angrier and definitely snottier response. Instead, I decided to try to give them some friendly advice:

I hope this email does not come across as flippant, as I am telling you this for your own benefit. I have been developing web apps professionally for 6 years, and so I have a modicum of authority in this regard.

The site is not secure if the little padlock does not show up. That padlock is displayed when the site is connected to over a secure channel called SSL. In a web app this happens when the website is visited with the prefix “https” instead of “http” and the server has a valid security certificate indicating that the server is in fact the one I expect to communicate with. If any of these pieces is not in place, then the site is not secure. I tried connecting using “https” but was denied access since the server certificate is not valid and the secure channel is not properly set up.

In this email, I also placed an order for the two The Hold Steady albums that I wanted, and then I called Joe to give him my credit card number in the most secure way they offered. I’m sure he wrote it down on a scrap piece of paper that is probably floating around their office now and will eventually wind up in the hands of an identity thief dumpster diving in New York City.