Security? What security?
I was making an online reservation at a hotel today and came across this interesting tidbit on the (major chain) hotel's reservation page:
"Due to system limitations please do not use the following characters: &, %, < and >."
Good lord. Why didn't they just say:
"Our developers didn't bother to do proper input validation and translation of special characters into and out of HTML entities. Since we didn't do this, our site is probably vulnerable to SQL injection and cross-site scripting attacks as well."
Most people, if they think about it at all, will assume the site is safe because it has a Verisign certificate and shows up with the lock icon in their browser. But all that means is you know what site you are at, and that your data is fairly secure against real-time snooping. If the site itself is badly coded, it means nothing.
Makes me feel real comfortable putting my credit card information in (I almost quit and called them instead).
Yesterday I visited the site of another huge traditional retailer that I never use. I wanted to make a one-time gift purchase, and never intend to shop there on a regular basis. The site made me put in my credit card information (fine) but also made me create an account, and gave me no opt out to not store my credit card on their back end. When I tried to remove it after I made my purchase, I got a 100% repro javascript error.
Come on, people. This is 2008. Security is not a "would be nice" add-on feature. We need companies to be criminally liable if they don't bother to implement well-known security practices and consumers suffer for their negligence.
"Due to system limitations please do not use the following characters: &, %, < and >."
Good lord. Why didn't they just say:
"Our developers didn't bother to do proper input validation and translation of special characters into and out of HTML entities. Since we didn't do this, our site is probably vulnerable to SQL injection and cross-site scripting attacks as well."
Most people, if they think about it at all, will assume the site is safe because it has a Verisign certificate and shows up with the lock icon in their browser. But all that means is you know what site you are at, and that your data is fairly secure against real-time snooping. If the site itself is badly coded, it means nothing.
Makes me feel real comfortable putting my credit card information in (I almost quit and called them instead).
Yesterday I visited the site of another huge traditional retailer that I never use. I wanted to make a one-time gift purchase, and never intend to shop there on a regular basis. The site made me put in my credit card information (fine) but also made me create an account, and gave me no opt out to not store my credit card on their back end. When I tried to remove it after I made my purchase, I got a 100% repro javascript error.
Come on, people. This is 2008. Security is not a "would be nice" add-on feature. We need companies to be criminally liable if they don't bother to implement well-known security practices and consumers suffer for their negligence.