I had this exact same thing happen.  I emailed their webmaster and explained
why it was insecure, and they still swore I had no idea what I was talking
about.  It was fixed a couple of weeks later.

> -----Original Message-----
> From: Dave Sherohman [mailto:esper at sherohman.org]
> Sent: Friday, January 05, 2001 10:04 AM
> To: 'tclug-list at mn-linux.org'; TCLUG
> Subject: Re: [TCLUG] OT: Secure web without https?
> 
> 
> On Fri, Jan 05, 2001 at 01:32:43AM -0600, Austad, Jay wrote:
> > View the source of the page.  If the form submit's the data 
> to an https://
> > url, then you should be able to consider it secure.  Many 
> sites outsource
> > their card processing, and some card processors will accept 
> data from a POST
> > operation to their site from the customers web page.  
> > 
> > Go over the HTML carefully though to be sure.
> 
> A side note on this:
> 
> I've encountered one site which had this backwards:  They 
> swore up and down
> that their credit card info page was "certified 100% as 
> secure as it gets",
> and it was - the page was served via https.  But the submit 
> button was an
> http link.  Fortunately, Netscape caught this and warned me 
> about it.  (But,
> of course, when I told them about it, they told me I didn't 
> know what I was
> talking about, repeated their litany about how secure the 
> form is, and,
> ultimately, did nothing about it.)
> 
> So cravat empty and all that stuff.
> 
> -- 
> SGI products are used to create the 'Bugs' that entertain us 
> in theatres
> and at home. - SGI job posting
> Geek Code 3.1:  GCS d? s+: a- C++ UL++$ P++>+++ L+++>++++ E- 
> W--(++) N+ o+
> !K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G 
> e* h+ r y+
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>