Java script, icons, html transitional, css and tables.

[Luigi Donatello Asero]

On the homepage of the website https://www.scaiecat-spa-gigi.com
I tried to insert the QuickSSL Premium Smart Icon seal
to show that the site has been secured

Now, the problem is that the page

http://www.geotrust.com/quickssl_premium/install_seal.htm
suggests to use a Java script.
Using a Java script I cannot use html strict and CSS does not seem to work.
Thus I cannot center the text on the page unless I use a table for the
layout.
On the other hand, the icon is good to show that the site has been secured.
Any suggestions?

 

[Richard Cornford]

Luigi Donatello Asero wrote:

I tried to insert the QuickSSL Premium Smart
Icon seal

On the other hand, the icon is good to show that
the site has been secured. ...

I am always amused by the e-mail that I receive that states clearly at
the bottom that the contents and attachments have been scanned by some
anti-virus program and are certified virus free, I don't believe a word
of it.

Richard.

 

[Luigi Donatello Asero]

Luigi Donatello Asero wrote:



I am always amused by the e-mail that I receive that states clearly at
the bottom that the contents and attachments have been scanned by some
anti-virus program and are certified virus free, I don't believe a word
of it.

Richard.

Anti-virus program and virus do not have much to do with what I was writing
about, as far as I know.

 

[Luigi Donatello Asero]

Luigi Donatello Asero wrote:



I am always amused by the e-mail that I receive that states clearly at
the bottom that the contents and attachments have been scanned by some
anti-virus program and are certified virus free, I don't believe a word
of it.

Richard.

I am talking about server certificate and https protocols..

 

[Richard Cornford]

I am talking about server certificate and https
protocols..

You appear to be talking about an "icon" that "shows the site has been
secured".

Richard.

 

[Michael Winter]

On Fri, 31 Dec 2004 02:18:34 GMT, Luigi Donatello Asero

[snip]

I am talking about server certificate and https protocols..

Actually, you're talking about invalid mark-up.

As far as I can see, there's no reason whatsoever for you to use that
script. To be honest, you shouldn't when one considers just how badly
written it is. It boils down to including:

<a href="https://smarticon.geotrust.com/smarticonprofile?
Referer=[current page host name]"><img alt="Secured by GeoTrust"
src="https://smarticon.geotrust.com/smarticon?
ref=[current page host name]"></a>

in your document, although the mark-up above has better alternative text
for the image. The rest of it is completely useless context menu-blocking
code which won't work reliably anyway. The text, [current page host name],
should be replaced by the domain, and the protocol (https I'd assume),
from which you'd serve the document.

Before you go ahead and ignore the script, I'd make sure that you're able
to do it under their license terms[1]. If not, tell them that the code
they've produced is utter crap. You might also want to remind them that
Javascript is optional and that relying on it is a mistake.

If you really do have to use it, remove the language attribute from the
opening SCRIPT tag, and preferably put the SCRIPT element within a
block-level element so that the document tree remains valid after the
script has executed. I also assume that you need to correct the URL in the
src attribute to <URL:http://smarticon.geotrust.com/si.js>.

Good luck,
Mike


[1] They don't seem to publish the terms, which is why I didn't have a
look.

 

[Beauregard T. Shagnasty]

http://www.geotrust.com/quickssl_premium/install_seal.htm
suggests to use a Java script.
Using a Java script ...

It is not a Java script. It is JavaScript.

Or, if you prefer, a JavaScript script. Java, an entirely different
language, has scripts as well.

Now, on to your question. I do not see anything in the script at
http://smarticon.geotrust.com/si.js
that would make your web site any more secure than mine. Why don't you
just steal the icon from their page and put it on yours? The whole
thing reads like a scam.

"This GIF is a sample snapshot of the QuickSSL Premium site seal. The
actual site will *disable right click and save features* and will
display a live date / time stamp much like the True Site displayed on
the bottom of this page" [asterisks mine. Harhar!]

Oh, and it won't run in my browser ...

 

[Luigi Donatello Asero]

It is not a Java script. It is JavaScript.

Or, if you prefer, a JavaScript script. Java, an entirely different
language, has scripts as well.

I know that.
I just forgot that I had to write it in one word.

Now, on to your question. I do not see anything in the script at
http://smarticon.geotrust.com/si.js
that would make your web site any more secure than mine. Why don't you
just steal the icon from their page and put it on yours? The whole
thing reads like a scam.

As far as I understand, the script itself does not make the page more sure
than any other.
It only informs that the page has been secured.
Steve Pugh, I think was writing some weeks ago about https protocol and the
like

"This GIF is a sample snapshot of the QuickSSL Premium site seal. The
actual site will *disable right click and save features* and will
display a live date / time stamp much like the True Site displayed on
the bottom of this page" [asterisks mine. Harhar!]

Oh, and it won't run in my browser ...

What do you mean?

 

[Luigi Donatello Asero]

You appear to be talking about an "icon" that "shows the site has been
secured".

Yes. How does it have to do with antivirus?

 

[Beauregard T. Shagnasty]

"Beauregard T. Shagnasty" <[email protected]> skrev i
meddelandet news:[email protected]...

What do you mean?

JavaScript is disabled.

 

[Luigi Donatello Asero]

On Fri, 31 Dec 2004 02:18:34 GMT, Luigi Donatello Asero

[snip]

I am talking about server certificate and https protocols..

Actually, you're talking about invalid mark-up.

I was talking about that too. However, it now validates as html
transitional.
I would rather use php script or some other script which is executed on the
server and not on the client but I do not know whether I may set the icon
that way.
Now, to be honest, I still do not understand why you are against server
certificates.
Was Steve not for them anyway? Aren´t there many banks which use secure
connections and https protocols?

Now Verisign is one of the companies which offers these certificates but
their prices are more expensive, so that´s why I took the one from Geotrust
then. But I did not order it myself, my webhost did it for me and installed
it. So, do you mean now that my webhost did not install it correctly or is
it just the icon which does not work?

As far as I can see, there's no reason whatsoever for you to use that
script. To be honest, you shouldn't when one considers just how badly
written it is. It boils down to including:

<a href="https://smarticon.geotrust.com/smarticonprofile?
Referer=[current page host name]"><img alt="Secured by GeoTrust"
src="https://smarticon.geotrust.com/smarticon?
ref=[current page host name]"></a>

in your document, although the mark-up above has better alternative text
for the image. The rest of it is completely useless context menu-blocking
code which won't work reliably anyway. The text, [current page host name],
should be replaced by the domain, and the protocol (https I'd assume),
from which you'd serve the document.

Do you mean https://www.scaiecat-spa-gigi.com should be written instead for

Before you go ahead and ignore the script, I'd make sure that you're able
to do it under their license terms[1]. If not, tell them that the code
they've produced is utter crap. You might also want to remind them that
Javascript is optional and that relying on it is a mistake.

Actually, I have already written to them because I do not like Javascript.
I prefer script which are executed at the server such as php.
But I did not realize that the javascript that they wrote was so bad.

If you really do have to use it, remove the language attribute from the
opening SCRIPT tag, and preferably put the SCRIPT element within a
block-level element so that the document tree remains valid after the
script has executed. I also assume that you need to correct the URL in the
src attribute to <URL:http://smarticon.geotrust.com/si.js>.

Good luck,
Mike


[1] They don't seem to publish the terms, which is why I didn't have a
look.

Can you find something there
http://www.geotrusteurope.com/corporate/legal/pdfs/quickssl_premium_SA.pdf ?

 

[Luigi Donatello Asero]

JavaScript is disabled.

You are right about that.
On the other hand, you can go on and click on the links anyway.
You just do not see any icon.
What about the fact that the website is secured.
Do you have any reason to believe that it is not?
What do you see on the bottom right corner of the browser?
Does it show that the page is secured or not?

 

[Beauregard T. Shagnasty]

You are right about that.
On the other hand, you can go on and click on the links anyway.
You just do not see any icon.

Nor does that script execute.

What about the fact that the website is secured.
Do you have any reason to believe that it is not?
What do you see on the bottom right corner of the browser?
Does it show that the page is secured or not?

Seeing as how it is https, my browser shows a 'padlock'. So what does
this mean to the average visitor? It means that the download is slower
due to the encryption. On a normal page, it is useless. On a page
where you are taking info - a form, a credit card - it means that
their credit card numbers may not be able to be intercepted as easily.

So, why don't you just use it (https) on a page where you take a
credit card number? IMO, there isn't any other real reason to do it.

 

[Luigi Donatello Asero]

Nor does that script execute.


Seeing as how it is https, my browser shows a 'padlock'. So what does
this mean to the average visitor? It means that the download is slower
due to the encryption. On a normal page, it is useless. On a page
where you are taking info - a form, a credit card - it means that
their credit card numbers may not be able to be intercepted as easily.

So, why don't you just use it (https) on a page where you take a
credit card number? IMO, there isn't any other real reason to do it.

There are many reason to do it.
Please visit http://www.ebusinesslex.net
Just to mention a few things:
1) it is important the the user can send data through the encryption so that
confidential data cannot be intercepted as easily
2) it is also important that the user can identify who offers a product or a
service. A https protocoll says that the site
https://www.scaiecat-spa-gigi.com is really this and not some other.
This is important for all the pages.
Most pages are available also as on http://www.scaiecat-spa-gigi.com
Under the circumstances the user can choose to navigate the unsecure version
if he or she prefers to do so.
Some pages, however are going to be available only as https, for example
forms.
As to credit card numbers should create a connection from a form where the
user would fill the number of his or her card to a database?
The user should wait for my answer anyway, that means, that I open the data
base, take the number and so on.
In other cases however it could be automatised. For example the user could
fill in a form with the number of his card and get a password from the data
base. Afterwards he could use the password to download e-books or may-be to
have access to some information sites.
What do you think?
Last but not least, is it necessary to get a special permission from Visa to
get the money by credit cards?

 

[rf]

So, why don't you just use it (https) on a page where you take a
credit card number? IMO, there isn't any other real reason to do it.

Paranoia?

 

[Luigi Donatello Asero]

Paranoia?

Another opinion than yours?

 

[Joel Shepherd]

On a normal page, it [https] is useless.

Just to mention a few things:
1) it is important the the user can send data through the encryption so that
confidential data cannot be intercepted as easily

If the data being sent actually _is_ confidential, then sure.

2) it is also important that the user can identify who offers a product or a
service. A https protocoll says that the site
https://www.scaiecat-spa-gigi.com is really this and not some other.
This is important for all the pages.

If this is of such pressing importance, why is that so few sites that
live and breathe by the trust their customers have in them bother to use
https for the entire site? Example: my employer (you've heard of them)
is fanatical about securing customer data, and about security in
general. But for just looking around the site, doing searches, adding
items to a cart, etc., plain ol' http is used. It's important to secure
against risk, but it's also important to objectively identify where the
risk is.

The user should wait for my answer anyway, that means, that I open the data
base, take the number and so on.

How secure _is_ that database, by the way? Does it have any sort of
password protection? How secure is the password and how often is it
changed?

Are the credit card numbers highly encrypted *in* the database? No? Then
couldn't some enterprising young thief simple extract the plain-text
credit card number from the database and start charging? (Answer: yes.)
If you have to bring the credit card number up on your screen in
plain-text, what is to stop some enterprising young thief from
screen-scraping it? (Answer: precious little.)

It seems to me that if you're really concerned about security and
safe-guarding your customers' valuable data, it's issues like those that
you ought to be worrying about, not about someone somehow corrupting
your sales information pages. That is a miniscule threat. Extracting
plain-text credit card numbers from any sort of data store is a real and
present threat.

Last but not least, is it necessary to get a special permission from Visa to
get the money by credit cards?

Yes, you need an account with them. Also, be aware that credit card
companies charge their clients (that'd be you) a small surcharge:
usually several percent of the amount charged will go to the credit card
company and not to yourself.

 

[Oli Filth]

Another opinion than yours?

I think this was discussed in a thread a few weeks ago. It really is
paranoid to worry about the security of the information used for general
browsing and conclude that you need to use HTTPS for every page. There
are for more likely targets for hackers when it comes to your website's
security, like your database, or even your server itself. No amount of
HTTPS will prevent this.

A challenge: Try and find an established e-commerce site that uses HTTPS
for all its pages. Doing this might help convince you that the "HTTPS
everywhere" approach really is "paranoia".

Oli

 

[Michael Winter]

Yes. How does it have to do with antivirus?

Richard was making a comparison.

Think about the massive worldwide virus outbreaks that were spread by
e-mail. You can be certain that many of the individuals and organisations
that were infected scan incoming mail. Similarly, some of those that
(unintentionally) helped spread the infection also scanned outgoing mail.

The moral here is just because someone (or something) says "this is fine"
doesn't automatically make it so. Anyone could forge the seal image and
put it on their site; it doesn't mean anything. Only the certificate
itself matters.

Mike

 

[Michael Winter]

However, it now validates as html transitional.

As I said at the end of my previous post, removing the language attribute
would allow the element to validate under a Strict DTD. Don't go to
Transitional just to accomodate them (especially as it's not necessary).

[snip]

Now, to be honest, I still do not understand why you are against server
certificates.
Was Steve not for them anyway? Aren´t there many banks which use secure
connections and https protocols?

Now Verisign is one of the companies which offers these certificates but
their prices are more expensive, so that´s why I took the one from
Geotrust then. But I did not order it myself, my webhost did it for me
and installed it. So, do you mean now that my webhost did not install it
correctly or is it just the icon which does not work?

None of these comments have anything to do with me. I only discussed the
script. Make sure you direct your replies to the right people.

[MW:]

The text, [current page host name], should be replaced by the domain,
and the protocol [...].

Do you mean https://www.scaiecat-spa-gigi.com should be written instead
[...]

Yes.

[Licensing terms]

Can you find something there
http://www.geotrusteurope.com/corporate/legal/pdfs/quickssl_premium_SA.pdf
?

There doesn't seem to be anything in that document, nor a similar one in
their legal section, that refers to the seal at all so there can't be any
terms attached to its inclusion. As far as I can see, the seal's only
purpose is to allow visitors easy (and simplified) access to the
certificate information.

Mike