undefined | Better HN

0 pointstyingq9y ago0 comments

I suspect PCI is okay with it so long as it is an unsecure page that posts to a secure one. Not that it's a great idea, but it would be encrypted in transit.

Edit: It appears PCI DSS V3.2 does ask that the form itself be on a secure page (section 4.1.g):

"for browser-based implementations: 'HTTPS' appears as the browser Universal Record Locator (URL) protocol, and Cardholder data is only requested if “HTTPS” appears as part of the URL."

0 comments

Piskvorrr9y ago

Yeah, because MITMing the origin page to submit to evil.example.org is trivial.

jessaustin9y ago

In such a case one would expect the evil page to present something that looked like a credit card input to the user, but not to the browser. Sites would still want to use HSTS to combat the MITMing itself.

Piskvorrr9y ago

Nope, too risky. Just redirect to an evil HTTPS page, and do all your phishing there - look, it's got the green lock and everything >;-)

j / k navigate · click thread line to collapse

0 pointstyingq9y ago0 comments

I suspect PCI is okay with it so long as it is an unsecure page that posts to a secure one. Not that it's a great idea, but it would be encrypted in transit.

Edit: It appears PCI DSS V3.2 does ask that the form itself be on a secure page (section 4.1.g):

"for browser-based implementations: 'HTTPS' appears as the browser Universal Record Locator (URL) protocol, and Cardholder data is only requested if “HTTPS” appears as part of the URL."

0 comments

Piskvorrr9y ago

Yeah, because MITMing the origin page to submit to evil.example.org is trivial.

jessaustin9y ago

Piskvorrr9y ago

Nope, too risky. Just redirect to an evil HTTPS page, and do all your phishing there - look, it's got the green lock and everything >;-)

j / k navigate · click thread line to collapse