Monday, 29 March 2010

SSL and a false sense of security

I was speaking to a colleague recently about an issue he had, booking a hotel online using his credit card.  The website seemed secure enough, with a properly formed SSL certificate, which would lead you to believe that your credit card details are safe enough, the booking form being submitted through an encrypted channel.

To his horror, a day later my colleague received an email from the hotel confirming his reservation - and this email contained all of the details on his booking form, including his credit card details, security codes, etc., in perfectly clear text.  In his own words, after he calmed down, he called his bank and cancelled his credit cards.

I took a look at the website in question (which shall remain anonymous).  The fault was very simple: the site was secure and encrypted, but instead of actually processing the credit card, the site simply bunged the form contents into a plain-text email and emailed it to the hotel administrators to process offline!  This completely defeats the purpose of a secure site - the site may receive this data from your browser in a secure and encrypted fashion, but what the site does next - emailing this stuff in plain text - renders your sensitive data vulnerable to theft.

This had me thinking that this really can't be all that special a case.  Lots of mom-and-pop sites that take credit cards, whether to process a payment or maybe just hold a reservation, probably do just this.  Grab a free form mailer script (there are a great many of these around) and you are on your way.  I would guess that hundreds, if not thousands of websites out there, not intending to be fraudulent in any way, end up leaking credit card details in this manner.

To cut a long story short, I decided to do something about it.  I've written a browser plugin that detects such forms and warns users of the fact that their sensitive data may be publicly visible.  Currently, this plugin is only available for Google Chrome and Firefox browsers.  If you happen to use one of these, you're in luck.  If not, the plugin is open source, I recommend you try your hand at writing a plugin for your favourite browser based on what I have done.

Want to get the plugin?  Browse to the plugin's project page and try it out.

Want to see what it looks like?  Here is a screenshot of a test site I created, being "caught out" by the plugin.

Want to try it for yourself?  Browse to


No comments: