(alleged) 'lack of confidence' in my site security
Hello Community - I've got an Actinic shop and (appended below) is an extract quoted from an email from a 'well-meaning' IT consultant suggesting that there's some 'lack of confidence' in my site security. I've got no idea whether it's just a 'scare' or if there's any 'truth' in what's written below? Anybody able to offer any views?
quote from an email received yesterday:
quote from an email received yesterday:
"I am an IT consultant who specialises in web applications - my apologies if
this email is a bit techy - i'm just trying to be helpful {honest}.
I wanted to place an order on your website, but I didn't because of lack of
confidence in your security!
Your website indicates that you manage secure payments:
"When the order is placed at our website, credit card numbers are encrypted
using 128 bit encryption. They are only decrypted after they reach our
computer..."
However, the page where you ask for credit-card details is NOT secure.
{it does a POST request to
http://www.xxx.com/cgi-bin/os000005.pl} this is via the standard HTTP protocol which is UNENCRYPTED, thus allowing
customer credit card details to be intercepted by undesirables, and
contradicts your security statement quoted above.
I figured this may be an issue you are unaware of and may want to speak to
your web site hosting company ASAP as at best you may be losing the odd bit
of business, and at worst you are liable to potential legal action.
Once again, the intention of this email is intended as a friendly - public
spirited bit of information sharing - so my apologies if it comes across as
a bit alarmist!"
this email is a bit techy - i'm just trying to be helpful {honest}.
I wanted to place an order on your website, but I didn't because of lack of
confidence in your security!
Your website indicates that you manage secure payments:
"When the order is placed at our website, credit card numbers are encrypted
using 128 bit encryption. They are only decrypted after they reach our
computer..."
However, the page where you ask for credit-card details is NOT secure.
{it does a POST request to
http://www.xxx.com/cgi-bin/os000005.pl} this is via the standard HTTP protocol which is UNENCRYPTED, thus allowing
customer credit card details to be intercepted by undesirables, and
contradicts your security statement quoted above.
I figured this may be an issue you are unaware of and may want to speak to
your web site hosting company ASAP as at best you may be losing the odd bit
of business, and at worst you are liable to potential legal action.
Once again, the intention of this email is intended as a friendly - public
spirited bit of information sharing - so my apologies if it comes across as
a bit alarmist!"
Comment