Red Pill Press is now an unsecured website???

[rawtruth]

Two days ago I received an email solicitation from Red Pill Press offering a 15% discount until Jan. 12. It also announced that Wave Book 8 could now be pre-ordered.

When I went to the website to order, I was shocked to discover that the page soliciting the customer's credit card info is not secured (no https in the URL).

When I have ordered books from them in the past, I know the site was secured because I always verify that it is before entering my credit card info.

Apparently in putting the "new look" on the website, someone neglected a most critical detail which exposes all online customers to potential compromise of their bank accounts.

This needs to be rectified immediately. Allowing unsuspecting customers to be preyed on by internet criminals is unacceptable for all legitimate businesses.

 

[Gonzo]

While that may be concerning, I wouldn't feel too comfortable about SSL on the HTTPs protocol either. Last September, hacker revealed they were able to decrypt secure HTTP connections. Although there are more recent versions of the protocol, most browsers hadn't caught up with the change, so servers couldn't implement the upgrade.

More at:
Hackers break SSL encryption used by millions of sites
_http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/


Fyi,
Gonzo

 

[Mark]

not secured (no https in the URL).

Hi, we have a few stores - which store was this ?

Please provide a URL and we'll look into it.

Thanks.

 

[whitecoast]

I've actually encountered this same problem as well, when entering private information and such on RPP, back in August. I ended up just using snail mail for the transaction.
On the plus side, I just found out about Wave Volume 8

 

[rawtruth]

not secured (no https in the URL).

Hi, we have a few stores - which store was this ?

Please provide a URL and we'll look into it.

Thanks.

redpillpress.com

 

[dant]

Yup! I checked redpillpress.com.

The login/sign in/checkout page at minimum, should
be SSL activated so that private sensitive information
is not sent unencrypted over the wire. There should
not only be a https:// but also a padlock/key icon
appearing in the browser, so don't enter any
sensitive data if neither appears.

edit: correction

 

[Esote]

Hi,
I'm using PayPal in these transactions, which seems pretty secure.
Anyone knows if there would be any bug with PayPal?

 

[rawtruth]

Hi,
I'm using PayPal in these transactions, which seems pretty secure.
Anyone knows if there would be any bug with PayPal?

Esote,

When I go to the checkout payment page, I don't see any option to use PayPal. The only two options I see are credit card and check/money order.

I'm a registered PayPal user, but there is no way I can see to use PayPal on the redpillpress.com website.

How are you accomplishing this feat?

 

[Approaching Infinity]

Hi,
I'm using PayPal in these transactions, which seems pretty secure.
Anyone knows if there would be any bug with PayPal?

Esote,

When I go to the checkout payment page, I don't see any option to use PayPal. The only two options I see are credit card and check/money order.

I'm a registered PayPal user, but there is no way I can see to use PayPal on the redpillpress.com website.

How are you accomplishing this feat?

There's no PayPal option on the site, but if you email sales@redpillpress, we can send PayPal information and work it out off-site.

 

[Scottie]

The RedPillPress.com checkout process will be secured shortly. I'm afraid the payment service changed, and whereas the old service did not require our server to have an SSL cert, the new one does. Just a "minor oversight"...

Everything should be fully secure within 24 hours.

 

[Scottie]

While that may be concerning, I wouldn't feel too comfortable about SSL on the HTTPs protocol either. Last September, hacker revealed they were able to decrypt secure HTTP connections. Although there are more recent versions of the protocol, most browsers hadn't caught up with the change, so servers couldn't implement the upgrade.

More at:
Hackers break SSL encryption used by millions of sites
_http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

Oops!

There was another "bug" in SSL awhile ago, and most server software and most browsers were updated rather quickly. The only way people should still have problems is if they never update their software (which is generally a bad idea for this very reason). Even high-end SSL still isn't uber-secure, but it's about as safe as the average user can get on the net.

In many ways, HTTPS / SSL gives people a false sense of security. For example, on Sott.net, login/logout are encrypted (this makes sense) and also the Personalize page. This last part does NOT make sense, because anyone can find your name and e-mail address if they want to. But we made it encrypted anyway because it's more of a psychological thing. Even if your entire session is encrypted - from login, to surfing, to logout - with holes like the article you posted above, it's still not ever 100% secure.

Having said that, the best course of action is to at least use standard encryption practices for sites, because then at least you and your customers aren't an easy to target for hackers.

So, um, yeah... Sorry about the gaping security hole on the RPP.com site!

 

[Esote]

I'm a registered PayPal user, but there is no way I can see to use PayPal on the redpillpress.com website.

How are you accomplishing this feat?

Very simple: if the English website doesn't have PayPal, the French one does have it (pilulerouge.com). Just go to this link : http://en.pilulerouge.com/category/books/(it's in English) :)


Mod's note: Edited to fix the quotation boxes

 

[Gonzo]

As former ISP, you have all my empathy. You can't cover all the bases, all the time. Waaaay back, before automatic updates and patches, I barely slept. When I wasn't reading the latest security concerns, I was patching my servers. s soon as a new exploit was published, I'd start mitigating (shutting down ports, etc.) until a new patch or better solution came out. My ex-wife would often wake up to a strange beeping sound, come downstairs and find me passed out with my head on the keyboard. I just couldn't keep up.

Although things are slightly better now, there's still more to know than even a small team can possibly cover, let alone one person.

We appreciate all of your hard work and effort.

Gonzo

 

[Ninas]

It seems to me that they still haven't fixed the problem, because I tried to order from their website and even though, I did see the little padlock and https, it still didn't confirm my order. It took me to a blank page and my browser stated that it didn't support that format, whatever that means...

I contacted Redpillpress.com through email and phone, but am still waiting for a response from them...