Date: Wed, 8 Nov 2000 17:53:45 -0800 (PST)
From: Andreas Gustafsson <gson(_at_)nominum(_dot_)com>
Looks like the IETF49 Social Event and LAN Card Registration Page at
<http://www2.eventreg.com/ietf_reg/ietf_reg.html> will send your
credit card number over the net unencrypted. Could someone fix this,
please?
Upon further investigation, there doesn't appear to be a non-web
alternative for registration.
Also, if you go to the top-level page at www2.eventreg.com, you'll find
the default Microsoft IIS page, complete with "sample pages and
application ideas" and "sample site" links. If you go to the sample
database link, you can "click here" to create a database for the sample
applications.
Hmm..... This isn't calculated to give me a warm and fuzzy feeling about
the time spent by whoever set up this Windows NT server. I wonder if it
has the latest security patches applied? I wonder if it would be a good
idea to trust my credit card number to it? (NOT.)
I guess I'll have to register on-site and forgo the T-shirt. (Darn.
Like I needed Yet Another T-Shirt. :-)
- Ted
P.S. Maybe someone from Cisco and Qualcomm can have a little chat with
whatever contractor set up the server? I didn't do much prodding, but
I'd guess the chances are pretty high that there's some security
vulnerabilities left on that machine.