POINTS TO PONDER

1)One of the top security tips given to users is to turn off all browser--controls Active X and JavaScript. Would our web sites still be able to function like this?

Editorial by Larry Seltzer: "Scriptless IE Not Worth It", 7/5/2004

2)Where did all the alternative E-Commerce Payment Systems go?only Paypal, handful remain

Irony: And the capper was the New York Times report that Flooz had unknowingly sold $300,000 of its "flooz" currency (redeemable for goodies from various e- commerce sites) over the past three months to a ring of hacker credit card thieves in Russia and the Philippines, before finally being alerted by the FBI.

Don't Cry for Flooz, Beenz,Beth Cox, 08/29/2001

Alternative payment methods aren't necessarily more secure!

3)Do Digital Certificates make a difference?

"I visited www.palm.com to purchase something for my PalmPilot. When I went to the online checkout, I was redirected to https://palmorder.modusmedia.com/asp/store.asp. The SSL certificate was registered to Modus Media International; clearly a flagrant attempt to defraud Web customers, which I deftly uncovered because I carefully checked the SSL certificate. Not. Has anyone every sounded the alarm in these cases? Has anyone not bought online products because the name of the certificate didn't match the name on the Web site? Had anyone but me even noticed...Digital certificates provide no actual security for electronic commerce; it's a complete sham."

Bruce Schneier, Secrets & Lies:Digital Security in a Networked World, p. 238-9

Of the e-commerce sites, I've visited, only one I've noticed with certificate logo is overstock.com

:

goes to

Is this bad security or bad usability?

In case you can't read the screenshot, it explains how to sign out of Amazon's web site. This is a few levels into the web site--have you ever needed help escaping from any other web site? Once you're logged into Amazon, they don't want to let go--this session never expires!