[Chugalug] OT: Chattanooga Technology Council

Mike Harrison cluon at geeklabs.com
Tue Aug 13 19:09:20 UTC 2013


On Tue, 13 Aug 2013, Stephen Haywood wrote:
> If any of you folks have contacts at the Chattanooga Technology Council 
> you may want to let them know about a problem with their "join" page. 
> Credit card forms should only be used on HTTPS pages.

Stephen,

I see it as: https://www.chattanoogatechnologycouncil.org/join/

Which is HTTPS

But I get warnings: "Connection Partially Encrypted"
The real issue is:

they are using "gravity forms" to collect credit card info,

http://www.gravityforms.com/

I'll wager the "CC Info" you supply is stored in plain text or trivially 
reversable encryption on the web server, and probably emailed to the Tech 
Council in plain text so they can see it, and enter it manually in 
someplace else. There is a small chance they are using Gravity Forms + 
Stripe  http://wordpress.org/plugins/gravity-forms-stripe/ properly 
configured,

I know you are only an "Average Security Guy", but do you really want to
put that info into a Wordpress site hosted on a shared server at
inmotionhosting.com? It looks like they have a dedicated IP
but their ip address range is shared by spammers, publiclaly published 
vulnerabilities http://myip.ms/view/ip_addresses/3636635648
and I'll again wager they are a shared site, not an isolated virtual 
machine.

Biggest crime: Not supporting a local(ish) technology company.
How could they possibly be the Chattanooga Technology Council,
located in "GigCity" and be putting their web host in Los Angeles?

--Mike--


More information about the Chugalug mailing list