On Donating Online
Todd write a nice post over at his IBM blog about donating online. I wanted to comment on it and entered into the little wormhole of IBM's current registration system.
Like all registration systems, it asks for a lot of information (I'm guessing mostly for marketing purposes). It bounced me on my first try for a password (too short, that's fine). And it bounced me for not filling out a not-noted-as-required set of address fields (usually an asterisk accompanies fields which are required).
And...given that you have to register to comment, when it returned me back to Todd's latest post, I sort of expected to be able to add the comment. Sadly, no.
You have to log in again. My first shot failed (I'm guessing whatever is being used these days to copy authentication information around has a bit of a delay). My second attempt worked...but I got yet another form of information to fill out (here's a hint to whomever at IBM might read this: at this point you would have lost me entirely if it weren't for the fact that I owe Todd some link juice, and I enjoy taking potshots at IBM so I needed something else to blog).
Only after filling out yet another bit of information (I'm guessing DeveloperWorks has it's own marketing database which doesn't get populated by information from the intergalactic IBM database, so DW needs to ask a variety of bits of information, again) do I get a chance to make the comment, which at this point and my increasing years, I almost forgot. (My comment was essentially: also check to verify that pages are encrypted when you go to submit a donation, and that the encryption certificate matches the name of the organization you expect to be serving you the page).
Two additional observations: my own comment actually ends up being wrong, temporarily, for the American Red Cross site which has redirected donations to be served through Microsoft's MSN servers. At this point I should go on a digression about IBM and the ARC's DisasterRelief.org project, but I won't as it is pretty boring (well, except for the patent infringement case, and the corporate and non-profit politics that we encountered). Maybe some other day.
Anyway, observation two: we (the galactic those-of-us-who-can-stake-some sort-of-minor-claim-on-being-internet-pioneers, admittedly minor in my case) never quite got around to the fact that it's nice to serve up an encrypted page, but as far as I know no browser tells or warns you when you submit an encrypted form to whom you're submitting the form. Sure, Firefox and MSIE and every other browser will warn if the form is unencrypted, but I wonder how hard it would be to do the SSL CONNECT and pop up something if some level of the certificate doesn't match the certificate of the site which served up the form (No, I don't expect most people who read this site to understand that last comment, it's directed to Sean and Chet and Paul, assuming they're still reading here).
i.e. if the CN, OU and O don't match, or some level of them don't match (it's ok if the CN's don't match if the O and OU match), pop up a warning of some kind.
I mean, who cares if the content was encrypted when it was sent to you if I've managed to change the URL of the form to post to my little offshore bank account instead of the site you expected. As far as I know, no browser warns when the target's certificate does not match the certificate that served the original encrypted page. Browsers do warn if the submission is unencrypted, or if the CN doesn't match the hostname of the server when you connect via SSL.
Just an idea...maybe I'll submit it to Mozilla.
e.p.c. posted this at 18:13 GMT on 9-Sep-2005 . Archive Link