Thursday, July 1, 2010

Voyage-Sncf: security design flaw, the trip reservation website of the main french rail company, is one the most important websites on the french IT market. Each day seven thousands of train tickets are bought on that precise website.

How crazy is it that my browser was telling me "This is a non-secure form".. blabla (see the screenshot above)?
Since I already was on an https webpage, I figured the form was sent unencrypted...

It would be too much unbelievable to be true. Maybe is-it a Safari bug?
However, after having a quick look at the source code, - by the way please double check the highlighted URL - where the form is submitted:

This is just crazy! The form is sent to an uncrypted webpage (the URL does start with http:// and not https://) After some recent privacy issues with a lot of names released cause of a lack of security issue, I just find it unbelievable such lack of rigor in the way programmers did build this application.

No comments:

Post a Comment