This is the 2nd time I’ve booked tickets through http://www.amiando.com/, an on-line ticket system. They have a system where you can embed a widget in the events organisers website, so the whole order happens on their website. This creates problems.
This should set alarm bells off with everyone.
They aren’t using an SSL certificate. An SSL certificate means that all traffic between your web browser and the web server is encrypted and no-one can listen in. (If your using an open wifi spot at a coffee shop, listening in is very easy). Someone listening in could get your credit card details, so using a SSL certificate for important data like credit card details is essential.
Except they are: If you use a tool to investigate the AJAX calls, you will see that every single one is to an https server. They use encryption for all your data.
So that’s fine then? Umm, no.
Web browsers provide tools to users to show them when an encrypted connection is being used. We should be training users to look for them and to refuse to use websites that don’t have them. Amiando undermines this education effort.
The 1st time I used Amiando was for a big conference, a couple of hundred people. When I saw this I stopped my order and complained to the organisers. After a bit of to-ing and fro-ing I payed by bank transfer instead. But when I was there I had a chat to the event organisers, trying to educate them nicely, and the event organizers informed me in a slightly exasperated manner that I was the only one to complain. So much for the education effort then. The argument about how you educate users effectively is a big one.
Still, I would really like Amiando to sort this out. We should be educating users about security.