Computer/web design question

TweetieBird

I need some help. Posted below is an email I received at work. I immediately forwarded it to our web-designer to find out if what this person says is true. He replied that it was a scam. I don't know if he was just trying to cover his butt or if it truly is a scam. If it is a scam, I can't figure out what this person is after. I know there are some computer buffs/web designers that post here, please read this and let me know if what this person says is true or if it is a scam.

Thanks for your help.

here goes:

I'm a web designer who works for NAS Jacksonville, Florida. I'm looking
for a lender for a home I wish to buy in Spring Park, and as a computer
professional, I searched the web first. I found your site linked from
http://www.floridasmart.com/re/mortgage.htm.

Your web site claims to be secure, but it is not. When I clicked the
link for the form, I noticed that the URL did not begin with https, it
began http. If you were on a secure server, your URL would have to
begin with https. I then looked at your code and found that it was NOT
secure.

If I were to report you, you could face fines of several thousand
dollars for each person who sent you their social security number while
believing to be using a secure, encrypted connection. You could also be
individually sued by each of those people.

As I have noticed three other companies (copied on this eMail) are also
using this exact same form, I'm going to assume you have been duped by
your web designer. It is also possible that your designer doesn't know
him/herself, as I notice they used a web design program called FrontPage
to build the site. FrontPage is never used by someone who actually
knows how to code HTML, because professional web designers know that the
software is very limited in its abilities. (The code it produces is
shoddy and unstable except when using Internet Explorer.)

I'm not trying to cause you trouble. In fact, I'm trying to save you
from getting in trouble, so take this how you like. I also still
haven't found a lender, so if any of you wish to contact me, please do
so, but you may not use my eMail address for any other purpose than to
contact me regarding a loan. You may not share it with any other person
or company, you may not add it to a mailing database which you sell or
share with any other entity, and you may not SPAM me with any
unrequested eMail.

Edited to take person's name out.

fodeja

Your web site claims to be secure, but it is not. When I clicked the
link for the form, I noticed that the URL did not begin with https, it
began http. If you were on a secure server, your URL would have to
begin with https. I then looked at your code and found that it was NOT
secure.

Well, the tone of that e-mail is sort of strange, the remarks about FrontPage are not entirely false, but irrelevant, and I don't know if it's actually possible to sue someone over this (OK, I guess in the USA it's possible :-)).

However, the person has a valid point: sending sensitive personal data over an unencrypted link is a security risk. It doesn't take someone particulary skilled to exploit that risk, it only takes someone sitting at the right position between the user and the server with the necessary piece of software.

f.

Moxy

his use of terminology sounds pretty amateurish. i believe this is a matter for your legal dept. ianal, but i dont see how you could be sued for anything, unless you were making the claim that the form submission is using a level of security that it isnt, and even then it seems unlikely. any modern browser clearly identifies a form submission's level of security to the user so really the user can choose what they want to submit or not. ive never heard of a lawsuit brought against a website simply on the basis of the security level of a form submission. negligence would have to be involved.

he has a well-deserved axe to grind with FrontPage, but that is not relevant.

mox

julien

I would take the message seriously and investigate the web pages in question to make sure they are in fact secure. If someone used the page thinking it was secure and their SSN or other information was compromised because the page was incorrectly done, I'd think your company would be liable for any damages. What he says about http vs. https is generally true for secure/insecure pages; when I see a page claiming security but the https or the lock icon is missing I call in the order instead. It is possible that there is some method of secure transmission being used that is not obvious at the client side; perhaps that is the case with your site.

wannahelp

I would look and double-check that your website is infact using secure protocols..

Other than that, it sounds to me like a sales pitch..

BTW: I do not know law, but I believe that if you advertise a secure application page, and it isn't, that is false advertising.. You may be somewhat responsbile for that (just guessing).. If you don't advertise a secure page, then I don't think they can do much..

Basically, I think it is just a "I'm a web designer" doing an interesting twist on a sales pitch..

sleepy

This Guy IS trying to rip you off.
Although his points may be valid he is using it to scare you into lending him money stay well clear.

mikepence

I do computer software design for a major bank, Wells Fargo, and I work with encryption and sensitive customer data issues. This guy is correct that asking people to provide sensitive information on a form that is not using SLL (https://...) is taking a risk of legal exposure.

XJW User Submitted News & Views at http://xjwnews.com

Kent

Your web site claims to be secure, but it is not. When I clicked the
link for the form, I noticed that the URL did not begin with https, it
began http. If you were on a secure server, your URL would have to
begin with https. I then looked at your code and found that it was NOT
secure.

I won't try to be a lawyer here, but what the guy said here is actually true.

A so called secure server uses HTTPS, and not HTTP. If anyone claims a transfer via the HTTP protocol is secure, the guy is a fraud - and if anyone bought a "secure server" where people are supposed to give personal information, these people could get into serious trouble.

There is other ways of sending encrypted, secure transfers - but then you need to use sertificates and stuff - and I bet your server doesn't do that.

Don't pay this guy anything - but if you claim to have a secure server, get one - and don't trick people into getting in trouble. It may backfire BADLY!

Yachyd Da

Kent

I need the new KM's as they come! Please send me scans!

Daily News On The Watchtower and the Jehovah's Witnesses:
http://watchtower.observer.org

Simon

https just means that the communication between the server and the client is secure. It doesn't follow that the server itself is secure just because it uses https.

As someone I worked with used to put it: https is like an armoured car delivering things between two cardboard boxes full of holes.

You can have security without https but it is more conforting for the client. Having it doesn't mean your server is secure though, just that the line to the client can't be eavesdropped.

I wouldn't worry about the email - he's just trying to panic someone into paying some money out I think.

rhett

Where on your site do you claim that it is secure? I didn't see that anywhere. In fact, when I went to the link that you provided it only looked like a directory of other sites. Not a big shocker that this wouldn't be secured. I wouldn't sweat it.
BTW, I do completely agree with the guy when he says Front Page sucks. I won't even touch it when I'm doing web design work. I am rather fond of Dreamweaver though.

I don't need to fight
To prove I'm right
I don't need to be forgiven.

Computer/web design question

Share this