# Car rental websites and obscure security



## RogerS (4 Nov 2006)

Warning - both Sixt and Avis have websites that claim to send your credit card details 'securely'. They don't and can't since their websites are http and not https. 

I had a similar problem with a German hotel booking website but couldn't progress it further. I can with these UK sites :twisted: I feel a 'crusade' coming on !

EDIT: Looks as if they actually do use SSL by some obscure route ...but original post left for clarity for later readers


----------



## mr (4 Nov 2006)

Roger Sinden":2imlf4io said:


> Warning - both Sixt and Avis have websites that claim to send your credit card details 'securely'. They don't and can't since their websites are http and not https.


That's not strictly the case it's entirely possible that the data is transferred in an encrypted form, the lack of https indicates only that they're not using SSL to certificate the encryption which is rather poor as without the certification the user has no idea whether the transmission is securitised or not. Http addresses are also vulnerable to DNS spoofing though it's not overly common because there are easier ways of getting the same data for whatever nefarious purpose. Not taking isssue with your general point Roger, SSL is standard and should be used for that sort of thing, just pointing out that it is still possible to encrypt data transmitted via http although the user should have little confidence in that security unless he had implemented it himself and knew it to be good. 
Cheers Mike


----------



## RogerS (4 Nov 2006)

mr":31q73usp said:


> Roger Sinden":31q73usp said:
> 
> 
> > Warning - both Sixt and Avis have websites that claim to send your credit card details 'securely'. They don't and can't since their websites are http and not https.
> ...



I agree but to encrypt over http implies that I have the encryption algorithm at my end, doesn't it? So how did I get it? Did my browser run some software that I'm not aware of? I don't think so but always willing to learn otherwise.

The major niggle is that their website implies that they use SSL...even to the extent of a link to Thawt or Verisign...and when you follow those links, their sites in turn state that SSL only works if the site is SSL...which is as you said above is standard.

My gripe is that they are deliberately misleading folks. Your point about spoofing is very well made since anyone can spoof the Avis site, for example, and go on a phishing expedition.


----------



## mr (4 Nov 2006)

Encryption over http can be done with 3rd party software which lives on the server, something like Sitekey which several of the US banks use to verify their own identity to the user. Some of the US banks are on record as saying that https / SSL adds an unwanted step to the transaction and so they take measures like Sitekey to add in the securitisation without putting the burden on the user. They also take steps to tell the users what is going on on their sites. I imagine Avis and co arent making this clear, if indeed this is what their doing. It may be that, since they mention Verisign or Thawte that they are using SSL but only in instances where data like passwords and CC numbers are being transmitted. , One way to find out is to enter an incorrect password at the login prompt if such a thing exists and if this is in fact the case the site should then redirect you to an https / SSL form so that you can enter the correct info. 

Having said all that at the end of the day I'm with you regards HTTPS (or not) and think its very much easier to just use SSL with or without a valid certificate in order to demonstrate the security of any given transaction. 
Cheers Mike


----------



## RogerS (4 Nov 2006)

mr":2kytu1i4 said:


> It may be that, since they mention Verisign or Thawte that they are using SSL but only in instances where data like passwords and CC numbers are being transmitted.



But SSL needs an https site, doesn't it? So if they are http then, ipso facto (always wanted to get that into a post :wink: ), they can't be using SSL.


----------



## mr (4 Nov 2006)

Https = SSL yes although the entire site doesnt need to be https, what Im saying is that they may only be using SSL as a secondary means of passing data or only for data that must be encrypted. It may be that they don't bother at the top level if theyre only asking for details of when you would want to book a car for eg & that the SSL doesnt become apparent until you get to the end of the transaction and have to input CC numbers. HAve to say I havent looked at the sites you mention mainly because I expect to have to go through the whole quotation process to get anywhere near SSL . 
Cheers Mike


----------



## Newbie_Neil (5 Nov 2006)

Hi Roger

If you right click on the page you will probably see that it is securely encrypted.

Cheers
Neil


----------



## Anonymous (5 Nov 2006)

I don't know how you find the time to go on all these crusades Roger


----------



## RogerS (5 Nov 2006)

senior":2p818fbx said:


> I don't know how you find the time to go on all these crusades Roger



Well..I can't get in the workshop at the moment  

mr - the request for credit card details comes in without redirection to any other https site. If you'd like to check it, the url is www.sixt.co.uk, click the van rental tab, just click any old pickup and delivery location from the pulldown, accept their suggested times, click onto the next page, select any vehicle at random, click next page..ignore the extras and just click next...should take you to the page that asks for your cc card details. Pretty quick and would appreciate it if you have the time...just to put my mind at rest that I'm not being a plonker  

Neil - most definitely NOT encrypted.


----------



## mr (5 Nov 2006)

Hi Roger 
I followed the click route through the sixt site. The pages carrying the form requesting credit card details are served from siteseal. thawte. Its a case of using 3rd party non SSL encryption. There is also a wee button on the sixt page which says secured by Thawte with the wee padlock logo, now obviously anyone can stick a graphic on a webpage but when you click the button for verification you get a pop up back whicyh returns the info

[ organization ]	Sixt GmbH und Co Autovermietung KG
[ domain ]	www.e-sixt.co.uk
[ country ]	Germany
[ current status ]	Valid
[ valid from ]	2006.02.14
[ valid until ]	2007.03.10

Which is probably as secure as you will get. They are possibly not making it as obvious upfront as one might like that it is a secure transaction but it would appear that once it comes down to the actual transmission of important data the neccesary security steps have been taken. I think its a case of not wanting to redirect to https rather in the way that the American banks I mentioned chose not to. 
Cheers Mike


----------



## RogerS (5 Nov 2006)

Hi Mike

Much appreciated. So how does it encrypt my data before I transmit it? That's the bit that's confusing me. Doesn't there have to be some code at my end plus a key in order to encrypt it?

Cheers
Roger


----------



## Newbie_Neil (5 Nov 2006)

Hi Roger

Following the link suggests, to me, that only the credit card number is encrypted.

Personally, I would not use this site.

Cheer
Neil


----------



## mr (5 Nov 2006)

Siteseal is a verification mark awarded by Thawte to indicate that they have verified the identity of the site bearing the logo. ie that Sixt is Sixt the car rental peeps rather than 5ixt the people who just want your cc info. It is given out for want of a better word as part of the Thawte SSL certification package which suggests that the Sixt site is using SSL though not showing as https in the browser. THey could be using something like HTTP over TLS ( a newer form of encryption than SSL which addresses confidential information to a secured port and may not show out with the HTTPS headers. Im afraid I dont know enough about TLS to be sure though I know THawte have been involved with TLS to date. If you're really that keen to know about TLS the rfc is here http://www.ietf.org/rfc/rfc2818.txt
Additionally The siteseal mark as I understand it is actually served from Thawte thems selves rather than being an image on the users webpage as another means of verifying the identity of the client site - in this case Sixt. 
Cheers Mike


----------



## RogerS (5 Nov 2006)

Cheers, Mike...curioser and curioser. So it still looks as if the credit card data is sent 'in clear' ...will investigate further.

Roger


----------



## froglet (5 Nov 2006)

I may be missing something here but both the "RETRIEVE CUSTOMER INFORMATION" and "RESERVE NOW" links on the reservation page are to https addresses. The browser will create a secure connection to the Sixt server before sending the HTTP post command containing your information.
While this is not the usual way of doing things, you would normally have the data entry page encrypted if only to give the user a sense of security when they see the padlock, as far as I see this is secure.

Graeme


----------



## RogerS (6 Nov 2006)

Hi Graeme

I did try looking at the page source but could't find any reference to https. Am I looking in the wrong place? The html that I saw did not show any of the detail in the frame where you enter your details or the Reserve Now button...so not sure where that page source is viewable from.

Selecting and dragging the icon for Reserve Now points to an http page..at least on Apple Safari it does.

mr -. Digging around there seems to be something called SSLStream which seems to allow SSL over an http website but I'm not sure. If I can get the time/remember how to use it, the bottom line for me is whether the data is encrypted or not and so will fire up CommView and capture exactly what data I'm sending when I hit Reserve Now


----------



## mr (6 Nov 2006)

It will be interesting to see what your sending, obviously dont post it here  
Mike


----------



## froglet (6 Nov 2006)

I am using Firefox and when you hover over the two links they show as linking to https://www.e-sixt.co.uk/cgi-perl/rental/or#. If you look at the source for the frame you can see that the input form has the header <form action="https://www.e-sixt.co.uk/cgi-perl/rental/or" method="post" name="resform">. Of course its possible that they are detecting the browser type and sending different pages back depending on the browser, but not using https on some browsers while claiming to be secure would be a nasty thing to do.

Graeme


----------



## RogerS (6 Nov 2006)

Graeme...how curious. Checking FF, Safari and Opera on my Mac I only get http. Using FF on a PC I also only get http. Very strange.

However....I'd forgotten that on my Mac I run a handy little program called LittleSnitch which is effectively an outgoing firewall and it will alert you when a program is trying to access a previously unauthorised port/protocol. Opera has had little use and so when I navigated to the Reserve Now page, I got a warning from LittleSnitch asking me for permission to connect to sydney.thawte.com TCP port 443 SSL....which is good enough for me, I guess. 

As an aside, I then discovered that once you make your booking, they say 'OK - that was only a request...we'll get back to you within two days'. Huh? That IS really duff, if you ask me.

I'll still dig out CommView and give it a whirl


----------



## mr (6 Nov 2006)

Roger Sinden":twgzl7k8 said:


> As an aside, I then discovered that once you make your booking, they say 'OK - that was only a request...we'll get back to you within two days'. Huh? That IS really duff, if you ask me.



Very


----------



## RogerS (9 Nov 2006)

Ah....there's nothing I like better than to make detailed plans, get up extra early, sit in stationary rush hour traffic for an hour en route to collecting my non-existent hire van because the pillocks at Sixt messed up the reservation :evil:


----------

