BMW M3 Forum (E90 E92)

BMW Garage BMW Meets Register Search Today's Posts Mark Forums Read


Go Back   M3Post - BMW M3 Forum > BIMMERPOST Universal Forums > Off-Topic Discussions Board
 
EclipsisNA
Post Reply
 
Thread Tools Search this Thread
      08-14-2011, 03:03 AM   #23
bmwmthree
Captain
 
bmwmthree's Avatar
 
Drives: bmw
Join Date: Aug 2010
Location: so cal

Posts: 699
iTrader: (8)

Quote:
Originally Posted by skinrock View Post
...who cares if the home page is secure, you're not submitting payment there.

https://www.paymate.com/PayMate/Expr...nt?popup=false

The actual payment page is secure, though.

And before you say anything about the login form on the home page - it posts to a secure script.

Not saying it's 100% safe, but attempting to say they don't use SSL is a bad choice of attack. I would be worried about whether or not they store your info or provide the ability to dispute transactions.
the homepage isn't encrypted but posts to a secure script..."Information sent over the Internet without encryption can be seen by other people while it is in transit."

coincidence that the owner is from sj and you're from sf...i think not...

__________________
Quote:
Originally Posted by LuvMyRide View Post
And BMWM3 ..I will be filing a harrasment suit against you and/or charges. See you in court very very soon. Thanks.. Have fun with your nonsense.
bmwmthree is offline  
0
Reply With Quote
      08-14-2011, 03:08 AM   #24
JayKay335i
Banned
 
Drives: ///M323 DCT
Join Date: Apr 2009
Location: North Dakota; its best DUHHHHHH

Posts: 5,047
iTrader: (1)

Sounds like a bunch of nigerian scammers who rim one another for sustenance
JayKay335i is offline   Egypt
0
Reply With Quote
      08-14-2011, 04:02 AM   #25
skinrock
Agent Smith
 
skinrock's Avatar
 
Drives: 2013 Fusion AWD
Join Date: Jan 2011
Location: The Matrix

Posts: 2,860
iTrader: (9)

Garage List
2007 335i  [3.45]
Quote:
Originally Posted by bmwmthree View Post
the homepage isn't encrypted but posts to a secure script..."Information sent over the Internet without encryption can be seen by other people while it is in transit."

coincidence that the owner is from sj and you're from sf...i think not...
Coming from the guy that lives in SoCal. I mean what's an hour vs. 5 hours at this point. I have lived and worked in SF since November, joined here in January, have a decent reputation here and a lot of friends from the NorCal section. I have no idea who this guy from San Jose is. It's obviously shady when he conveniently joins today out of the blue to make a random statement about a not so popular payment site. In fact, I agree that he's either affiliated with them or he's the guy trying to make the sale. I think the OP made the right choice by sticking with Paypal.

I just wanted to try and share a little information about SSL in general. It's funny that you quote the part that explains how SSL works. SSL is for data that is sent over the network. If you submit to an https url, the data will be encrypted and will be safe. This trick is used by a lot of high traffic sites that want a login form on their home page. They don't want to load the entire page in SSL because it is costly, but want to ensure the login form is posted securely. Don't believe me? Go to Facebook or Twitter, they both do the same thing. If you view the source of the page, the login forms post to https even though the page is loaded over non-SSL.

Admittedly there are some flaws with this approach. The first has nothing to do with security, but rather it's a user issue. Without the secure lock, users won't think it's secure (which is the basis of your original screenshot). The second would mean you have much more to worry about. It actually relates to the part you quoted. SSL is not just for submitting encrypted data, but also for when you load the page itself. So when the server sends the webpage unencrypted to your computer, someone between you and the server could sniff that data and alter it. This isn't your personal info being picked up, but theoretically just as bad. They could simply alter the form to post to their own script and get your information, and even worse - they could make it seem as if it posted properly and send you along your way without you knowing it. As I mentioned earlier, if you view the source of the page, you can see if it's being posted to SSL or not. But of course, 99% of users aren't going to do that. With that being said, it's not directly insecure to submit to an https page, and you're more likely to fall victim to man-in-the-middle by using unencrypted wi-fi, which should be an obvious no-no anyways.

tldr: http://www.sslshopper.com/article-ho...-with-ssl.html (I do cover the flaws in the last paragraph, but remember to read http://stackoverflow.com/questions/6...sl-login-forms to realize why man-in-the-middle is difficult)

Hope you find that helpful.

Last edited by skinrock; 08-14-2011 at 04:28 AM.
skinrock is offline  
0
Reply With Quote
      08-14-2011, 04:27 AM   #26
bmwmthree
Captain
 
bmwmthree's Avatar
 
Drives: bmw
Join Date: Aug 2010
Location: so cal

Posts: 699
iTrader: (8)

Quote:
Originally Posted by skinrock View Post
Coming from the guy that lives in SoCal. I mean what's an hour vs. 5 hours at this point. I have lived and worked in SF since November, joined here in January, have a decent reputation here and a lot of friends from the NorCal section. I have no idea who this guy from San Jose is. It's obviously shady when he conveniently joins today out of the blue to make a random statement about a not so popular payment site. In fact, I agree that he's either affiliated with them or he's the guy trying to make the sale. I think the OP made the right choice by sticking with Paypal.

I just wanted to try and share a little information about SSL in general. It's funny that you quote the part that explains how SSL works. SSL is for data that is sent over the network. If you submit to an https url, the data will be encrypted and will be safe. This trick is used by a lot of high traffic sites that want a login form on their home page. They don't want to load the entire page in SSL because it is costly, but want to ensure the login form is posted securely. Don't believe me? Go to Facebook or Twitter, they both do the same thing. If you view the source of the page, the login forms post to https even though the page is loaded over non-SSL.

Admittedly there are some flaws with this approach. The first has nothing to do with security, but rather it's a user issue. Without the secure lock, users won't think it's secure (which is the basis of your original screenshot). The second would mean you have much more to worry about. It actually relates to the part you quoted. SSL is not just for submitting encrypted data, but also for when you load the page itself. So when the server sends the webpage unencrypted to your computer, someone between you and the server could sniff that data and alter it. This isn't your personal info being picked up, but theoretically just as bad. They could simply alter the form to post to their own script and get your information, and even worse - they could make it seem as if it posted properly and send you along your way without you knowing it. As I mentioned earlier, if you view the source of the page, you can see if it's being posted to SSL or not. But of course, 99% of users aren't going to do that. With that being said, it's not directly insecure to submit to an https page, and you're more likely to fall victim to man-in-the-middle by using unencrypted wi-fi, which should be an obvious no-no anyways.

tldr: http://www.sslshopper.com/article-ho...-with-ssl.html (I do cover the flaws in the last paragraph, but remember to read http://stackoverflow.com/questions/6...sl-login-forms to realize why man-in-the-middle is difficult)

Hope you find that helpful.
I was just kidding around...lol. but, informative post none the less, thank you.
__________________
Quote:
Originally Posted by LuvMyRide View Post
And BMWM3 ..I will be filing a harrasment suit against you and/or charges. See you in court very very soon. Thanks.. Have fun with your nonsense.
bmwmthree is offline  
0
Reply With Quote
      08-14-2011, 04:30 AM   #27
skinrock
Agent Smith
 
skinrock's Avatar
 
Drives: 2013 Fusion AWD
Join Date: Jan 2011
Location: The Matrix

Posts: 2,860
iTrader: (9)

Garage List
2007 335i  [3.45]
Quote:
Originally Posted by bmwmthree View Post
I was just kidding around...lol. but, informative post none the less, thank you.
That's all I wanted it to be I am a web software engineer, so you can see why this might hit home. Sometimes I can get carried away on a topic where I know something lol.
skinrock is offline  
0
Reply With Quote
      08-14-2011, 09:57 AM   #28
BMW E90
Major General
 
BMW E90's Avatar
 
Drives: E90 335i
Join Date: Nov 2005
Location: Around the Bay

Posts: 8,210
iTrader: (8)

Quote:
Originally Posted by FStop7 View Post
Also, did you google paymate to see what came back? I found this, fyi

http://www.complaintsboard.com/compl...m-c351647.html
Yeah I saw that after Googling it a few days ago. That was one of the reasons why I was concerned. It looked crazy!
BMW E90 is offline   United_States
0
Reply With Quote
Post Reply

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 08:34 AM.




m3post
Powered by vBulletin® Version 3.7.0
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
1Addicts.com, BIMMERPOST.com, E90Post.com, F30Post.com, M3Post.com, ZPost.com, 5Post.com, 6Post.com, 7Post.com, XBimmers.com logo and trademark are properties of BIMMERPOST