Amiando and the apparent SSL certificate

This is the 2nd time I’ve booked tickets through http://www.amiando.com/, an on-line ticket system. They have a system where you can embed a widget in the events organisers website, so the whole order happens on their website. This creates problems.

This should set alarm bells off with everyone.

They aren’t using an SSL certificate. An SSL certificate means that all traffic between your web browser and the web server is encrypted and no-one can listen in. (If your using an open wifi spot at a coffee shop, listening in is very easy). Someone listening in could get your credit card details, so using a SSL certificate for important data like credit card details is essential.

Except they are: If you use a tool to investigate the AJAX calls, you will see that every single one is to an https server. They use encryption for all your data.

So that’s fine then? Umm, no.

Web browsers provide tools to users to show them when an encrypted connection is being used. We should be training users to look for them and to refuse to use websites that don’t have them. Amiando undermines this education effort.

The 1st time I used Amiando was for a big conference, a couple of hundred people. When I saw this I stopped my order and complained to the organisers. After a bit of to-ing and fro-ing I payed by bank transfer instead. But when I was there I had a chat to the event organisers, trying to educate them nicely, and the event organizers informed me in a slightly exasperated manner that I was the only one to complain. So much for the education effort then. The argument about how you educate users effectively is a big one.

Still, I would really like Amiando to sort this out. We should be educating users about security.

1 thought on “Amiando and the apparent SSL certificate”

  1. http://twitter.com/danfrydman says “@jarofgreen it runs an iframe though, right? I booked using @amiando this week and was sure that while the main page wasn’t SSL, they were.”

    I said “@danfrydman @amiando they do actually use SSL but if your not a developer it looks like they don’t. That’s what I object to.”

    http://twitter.com/felixhaas says “@jarofgreen @danfrydman yes we of course use SSL but it does not appear in the URL line as it’s only used in the iframe …”

    http://twitter.com/danfrydman “@felixhaas @jarofgreen whenever we use SSL in a page frame or widget, we’ll always run the parent page in SSL – just good manners”

    I said “@felixhaas I know you use SSL, I’m a developer. But normal ppl can’t tell. @danfrydman point on manners is right http://wp.me/p1if9P-1c

    http://twitter.com/danfrydman “@jarofgreen but with a widget placement in a site it isn’t @amiando’s responsibility to enforce SSL – but guidance needed @felixhaas”

    I said “@danfrydman @felixhaas But widget makes @amiando look bad – *looks* like no security. Maybe there is a case for enforcement, guidance def.”

Comments are closed.