Mirvish/TicketKing Lies About Security

February 1, 2010

Not cool in this geek’s books.


7 Responses to “Mirvish/TicketKing Lies About Security”

  1. Neil Conway Says:

    Not necessarily uncool: if the login page is delivered via HTTP and the POST goes to an HTTPS address, that would be fine…

  2. Mike Says:

    Unfortunately, it doesn’t look like it:


    See line 183.

    I’d be upset, but I can’t stay mad at Honest Ed.

  3. aran Says:

    I checked that before posting, actually.

    To be fair I haven’t heard of anyone exploiting this kind of thing in the real world except to demonstrate the theoretical possibility.

  4. Nick Says:

    Nice Photoshop job. That site has a https security link on it. Obviously you have nothing to do!

  5. aran Says:

    @Nick: Since your IP address is from TicketKing, I assume I’ve made you feel defensive. Apologies for that.

    But I assure you, no, not a photoshop job. The highlighting was done in Preview, and other than that I uploaded the screenshot unmodified. Login and registration are both over insecure links, which really wouldn’t be that much of a problem, except for the misleading statement.

    Fortunately, the credit card info is sent over https.

  6. Rory Says:

    Which show did you see?

  7. amos Says:

    Rory has the best comment

Comments are closed.

%d bloggers like this: