[bmwmthree]

Quote:

Originally Posted by skinrock

...who cares if the home page is secure, you're not submitting payment there.

https://www.paymate.com/PayMate/Expr...nt?popup=false

The actual payment page is secure, though.

And before you say anything about the login form on the home page - it posts to a secure script.

Not saying it's 100% safe, but attempting to say they don't use SSL is a bad choice of attack. I would be worried about whether or not they store your info or provide the ability to dispute transactions.

the homepage isn't encrypted but posts to a secure script..."Information sent over the Internet without encryption can be seen by other people while it is in transit."

coincidence that the owner is from sj and you're from sf...i think not...

[JayKay335i]

Sounds like a bunch of nigerian scammers who rim one another for sustenance

[skinrock]

Quote:

Originally Posted by bmwmthree

the homepage isn't encrypted but posts to a secure script..."Information sent over the Internet without encryption can be seen by other people while it is in transit."

coincidence that the owner is from sj and you're from sf...i think not...

Coming from the guy that lives in SoCal. I mean what's an hour vs. 5 hours at this point. I have lived and worked in SF since November, joined here in January, have a decent reputation here and a lot of friends from the NorCal section. I have no idea who this guy from San Jose is. It's obviously shady when he conveniently joins today out of the blue to make a random statement about a not so popular payment site. In fact, I agree that he's either affiliated with them or he's the guy trying to make the sale. I think the OP made the right choice by sticking with Paypal.

I just wanted to try and share a little information about SSL in general. It's funny that you quote the part that explains how SSL works. SSL is for data that is sent over the network. If you submit to an https url, the data will be encrypted and will be safe. This trick is used by a lot of high traffic sites that want a login form on their home page. They don't want to load the entire page in SSL because it is costly, but want to ensure the login form is posted securely. Don't believe me? Go to Facebook or Twitter, they both do the same thing. If you view the source of the page, the login forms post to https even though the page is loaded over non-SSL.

Admittedly there are some flaws with this approach. The first has nothing to do with security, but rather it's a user issue. Without the secure lock, users won't think it's secure (which is the basis of your original screenshot). The second would mean you have much more to worry about. It actually relates to the part you quoted. SSL is not just for submitting encrypted data, but also for when you load the page itself. So when the server sends the webpage unencrypted to your computer, someone between you and the server could sniff that data and alter it. This isn't your personal info being picked up, but theoretically just as bad. They could simply alter the form to post to their own script and get your information, and even worse - they could make it seem as if it posted properly and send you along your way without you knowing it. As I mentioned earlier, if you view the source of the page, you can see if it's being posted to SSL or not. But of course, 99% of users aren't going to do that. With that being said, it's not directly insecure to submit to an https page, and you're more likely to fall victim to man-in-the-middle by using unencrypted wi-fi, which should be an obvious no-no anyways.

tldr: http://www.sslshopper.com/article-ho...-with-ssl.html (I do cover the flaws in the last paragraph, but remember to read http://stackoverflow.com/questions/6...sl-login-forms to realize why man-in-the-middle is difficult)

Hope you find that helpful.

[bmwmthree]

Quote:

Originally Posted by skinrock

Coming from the guy that lives in SoCal. I mean what's an hour vs. 5 hours at this point. I have lived and worked in SF since November, joined here in January, have a decent reputation here and a lot of friends from the NorCal section. I have no idea who this guy from San Jose is. It's obviously shady when he conveniently joins today out of the blue to make a random statement about a not so popular payment site. In fact, I agree that he's either affiliated with them or he's the guy trying to make the sale. I think the OP made the right choice by sticking with Paypal.

I just wanted to try and share a little information about SSL in general. It's funny that you quote the part that explains how SSL works. SSL is for data that is sent over the network. If you submit to an https url, the data will be encrypted and will be safe. This trick is used by a lot of high traffic sites that want a login form on their home page. They don't want to load the entire page in SSL because it is costly, but want to ensure the login form is posted securely. Don't believe me? Go to Facebook or Twitter, they both do the same thing. If you view the source of the page, the login forms post to https even though the page is loaded over non-SSL.

Admittedly there are some flaws with this approach. The first has nothing to do with security, but rather it's a user issue. Without the secure lock, users won't think it's secure (which is the basis of your original screenshot). The second would mean you have much more to worry about. It actually relates to the part you quoted. SSL is not just for submitting encrypted data, but also for when you load the page itself. So when the server sends the webpage unencrypted to your computer, someone between you and the server could sniff that data and alter it. This isn't your personal info being picked up, but theoretically just as bad. They could simply alter the form to post to their own script and get your information, and even worse - they could make it seem as if it posted properly and send you along your way without you knowing it. As I mentioned earlier, if you view the source of the page, you can see if it's being posted to SSL or not. But of course, 99% of users aren't going to do that. With that being said, it's not directly insecure to submit to an https page, and you're more likely to fall victim to man-in-the-middle by using unencrypted wi-fi, which should be an obvious no-no anyways.

tldr: http://www.sslshopper.com/article-ho...-with-ssl.html (I do cover the flaws in the last paragraph, but remember to read http://stackoverflow.com/questions/6...sl-login-forms to realize why man-in-the-middle is difficult)

Hope you find that helpful.

I was just kidding around...lol. but, informative post none the less, thank you.

[skinrock]

Quote:

Originally Posted by bmwmthree

I was just kidding around...lol. but, informative post none the less, thank you.

That's all I wanted it to be I am a web software engineer, so you can see why this might hit home. Sometimes I can get carried away on a topic where I know something lol.

[BMW F22]

Quote:

Originally Posted by FStop7

Also, did you google paymate to see what came back? I found this, fyi

http://www.complaintsboard.com/compl...m-c351647.html

Yeah I saw that after Googling it a few days ago. That was one of the reasons why I was concerned. It looked crazy!