[cfgeeks] I should be green and ripping my clothes off......

Kevin P. Inscoe kevin at inscoe.org
Sat Mar 3 07:55:25 EST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave Hudson wrote:
> I'm so angry right now!
> 
> If you saw my post the other night about SETF.com being unsecured....
> 
> A "rep" from their site called me and she immediately attacked me and
> treated me like and idiot.
> 
> She tried to tell me "The FAQ explains how it works, it is secure".
> 
> She ended up hanging up on me when I tried to explain that yes... "I
> understand your web developers are retarded and designed a site using FRAMES
> and put the secure pages inside the FRAME.  What I am trying to explain to
> you is that my LOGIN information (uname/pword) are being passed unsecure.
> So someone can capture my credentials and login AS ME.  So who cares if
> everything past that point is secure, i've already been compromised".
> 
> I created a page to demonstrate... feel free to share with all your hacker
> friends....
> 
> http://davehudson.net/setf/

I went to that link (setf.com) and viewed the source. The login part is
inside an iframe:

https://customerpage.jmfamily.com/Siteminderfiles/home.asp?TYPE=33554433&REALMOID=06-8dbedf0c-7e90-448a-92d0-7ae2cee7cbd8&GUID=&SMAUTHREASON=0&TARGET=http://customerpage.jmfamily.com/controllers/protected/initialize.asp

so yes they are launching you to SSL site when you click go.

jmfamily.com does off-site loan payment processing.

However I do note they are only using rc4 128 bit and openssl that we
use it capable of quite a bit more than that. :-)

Our commerce sites use rc5 (still crackable but not in flight) 256 bit AES

In fact one of our developers is on this list. :-)

- --
Kevin P. Inscoe                    Amateur Radio Call Sign: KE3VIN/AG
Deltona, FL 32738                                28.9497N by 81.1952W
kevin [at] inscoe [dot] org                    http://kevininscoe.com
GPG 0x61288D53
"Gold is valueless until mined, oil is useless at the bottom of
the well." - James B. Garfield













-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF6XA9M3kNQ2EojVMRAgMUAJ41zK97q//PmjYy2s9FG09WHuLzIACeOCQt
52ra/0ZbZiSzqXumy1Jwdmo=
=dRw3
-----END PGP SIGNATURE-----

More information about the cfgeeks mailing list