hwg-basics archives Oct 2001 new search results previous next

Re: Form question

by "Paul Wilson" <webguroo(at)tampabay.rr.com>

 Date:  Thu, 4 Oct 2001 19:41:36 -0400
 To:  <jtpolk(at)texas.net>,
<hwg-basics(at)mail.hwg.org>
 References:  texas
  todo: View Thread, Original 
> It doesn't?? Version 5/5.5 seems to. I'm not sure as I refuse to use
> Microsoft's LookOut Virpress.

Maybe I didn't explain myself well.

All email and newsgroups are unsecure.  It doesn't matter which email
program or browser you use.  It's all unsecure.  That means that during
routing the packets are subject to interception.  This is why companies (
and evidently terrorists ) are turning to PGP and other security programs to
send confidential email.

If you create simple Perl or PHP scripts to gather form data, you also don't
get informed by the browser when it is unsecure.  This is why you NEVER put
your credit card number on an unsecure form.  If I click on "Send" on a form
that doesn't have a secure socket,  the data is sent unsecure.  There are
millions of unsecure forms out there. I have many customer query forms that
are not secure.  Not all forms require security.  They may be a simple
feedback form where the client types  "hey, where's my package?"

Since all email and news traffic is unsecure, and most standard forms are
unsecure - it does not make sense to have Netscape pop up and say - "Hey -
this is unsecure" for JS forms unless all browser and email companies do the
same thing for all forms of mail and for all transmission of form data.
Perhaps I dodn't make this point very well.

It does not make sense to only do it for JavaScript forms only.  It is no
more or less subject to interception during transmission than any other
unsecure method.  I stand beside what I said, this is stupid.  It
dangerously  implies that other ways of moving data are more secure when
they are not.

>The thing is that without that warning, someone could put graphical
>button on a page that when people clicked on it, seems to be a link, but
>also did nothing. I mean the page might quiver or something. Anyway,
>each click would get a new email address.

I have absolulutly no idea what you're trying to say here.  It sounds
paranoid.  Why would anyone create a web page that does something bad like
that when they can so easily be tracked down by any webmaster?

>Hey, think of working for a company. They put up an anonymous comment
>form. You fill it out, you click, all in privacy. The next week you are
>fired.

Not sure what that has to do with JS forms.  There are many ways to do this.
You could also do this stuff with Perl or PHP, ASP or Java.  Anonymity is
not ensured by any method.

>Huh?? Worked in Netscape. Again, I don't know how LookOut works

The third point I was talking about with JS,  was that if a client was using
a JS form, and they had JS turned off, it would not send the form.  The send
button would be dead.

>>>Yes there is, but there are big problems doing it this way.

This was the first line from my email which was meant to point out several
problems with using JS for forms or email.  I was not recommending it if
that's what you were thinking. Seems like you have a real issues with
JavaScript.


Paul Wilson
webguroo(at)tampabay.rr.com

HTML: hwg-basics mailing list archives, maintained by Webmasters @ IWA