Because this is a security question which I believe has a factual answer, I put it in GQ.
I made a stupid mistake today. Ticket sales opened for something I really want to do next weekend, and only 100 tickets went on sale. The venue is selling the tickets via missiontix.com, and I quickly went on their site and bought my ticket. They have my name, address, and CC info.
Later I asked a buddy if he wanted to go with me. He said yes, but upon going to the website, noticed they didn’t have an https secure connection. I gave all my info via an apparently unencrypted connection over my college’s unsecured WiFi. Bad move.
Tonight I went back on and did some digging. Chrome states that the connection is in fact encrypted, but uses “obsolete TLS 1.2 cryptology.”
Web of Trust gives them a green “good site” rating, and I haven’t found any Google hits regarding security breaches at their site. Mission Tix themselves claim that their “secure server software (SSL) is among the best software available today for ensuring secure e-commerce transactions.”
I know nothing about network security. Should I start the process of canceling my credit card, or can I go ahead and order a ticket for my buddy?
Thanks.
The entire site doesn’t need be secured, just the checkout routine, which does show HTTPS. TLS 1.2 isn’t obsolete, but it isn’t standalone - there are encryption components in each implementation. The statement by MissionTix is obviously written by a PR flack and means nothing. Google has been pushing web operators to replace the relatively insecure hashing algorithm SHA-1 with SHA-2, and these warnings are part of that.
Unless someone happened to be running Wireshark (or comparable software), intercepted your connection, cracked the encryption, and downloaded your CC data, you should be fine. The probability of that is low, because those skills are not commonplace, and because there would be much easier ways for someone with that skillset to make money than defrauding people like you (to a credit card scammer, known as a ‘carder’, your information is probably worth <25$).
I don’t think you need to cancel your credit card, but it’s a good habit to check your statement every month for any chargers you aren’t familiar with (carders will charge you a few dollars a month for years, not make one large purchase). If you buy another ticket from the site, its best to do so on a secure network.
Some credit card companies (the one I know if is BofA) offer a credit card service, where you can get assigned a new credit card number with a low limit for one-time use. This is specifically designed for doing on-line purchases. (The new card number is linked to your regular card account, and your purchase gets billed to your regular account.)
I described it is some detail in this post about a year ago.
Here is BofA’s page describing the service.