Re: Ordering CDs in Europe becoming increasingly difficult

[Jussi Peltola]

On Fri, Jul 09, 2010 at 01:34:26AM +0200, Floor Terra wrote:
> > I admit that I'm a bit ignorant here, as I've myself never
> > administered an SSL web site, but I am not convinced by this: Doesn't
> > the above just mean that it switches to HTTPS *after* transmitting my
> > information in the clear? Or can someone else explain if and/or how
> > the above is sane?
> >
> 
> From a quick glance at the website:
> You get an empty form delivered over plain http. The form submits to
> an https page.
> This means the content of the form is only transmitted over https.
 
Unless the attacker substitutes the page with another one that can send
your password wherever he wants...

Re: Ordering CDs in Europe becoming increasingly difficult

[OpenBSD Europe Orders]

We have made it very clear on our website.

If you wish to avoid the account creation/order process please email us 
your order directly.


We're working on the other issues.

Thanks,

Re: Ordering CDs in Europe becoming increasingly difficult

[OpenBSD Europe Orders]

ropers wrote:

On 22 May 2010 11:01, Lyn Done wrote:

Sorry that you have concerns about buying from us.

We have moved to a new, more secure ecommerce system which is compliant
under PCI-DSS, so that you need have no concerns about the security of
entering your personal or card details. We were unable to transfer across
the information from the old system, so that yes, you can use your previous
details on the new site or different details - you can change this
information at any time in the future. Once you enter any information on the
login page, then it forces an https call, so the site is totally secure with
your details.


I admit that I'm a bit ignorant here, as I've myself never
administered an SSL web site, but I am not convinced by this: Doesn't
the above just mean that it switches to HTTPS *after* transmitting my
information in the clear? Or can someone else explain if and/or how
the above is sane?


Please ignore the guess work.

Re: Ordering CDs in Europe becoming increasingly difficult

[Ted Unangst]

On Thu, Jul 8, 2010 at 7:22 PM, ropers  wrote:
> I admit that I'm a bit ignorant here, as I've myself never
> administered an SSL web site, but I am not convinced by this: Doesn't
> the above just mean that it switches to HTTPS *after* transmitting my
> information in the clear? Or can someone else explain if and/or how
> the above is sane?

Instead of asking people to guess what's happening based on your
observation of what you think your browser is doing, wouldn't it make
sense to just watch your network traffic and know for certain?

Re: Ordering CDs in Europe becoming increasingly difficult

[Floor Terra]

On Fri, Jul 9, 2010 at 1:22 AM, ropers  wrote:
> On 22 May 2010 11:01, Lyn Done wrote:
>> Sorry that you have concerns about buying from us.
>>
>> We have moved to a new, more secure ecommerce system which is compliant
>> under PCI-DSS, so that you need have no concerns about the security of
>> entering your personal or card details. We were unable to transfer across
>> the information from the old system, so that yes, you can use your previous
>> details on the new site or different details - you can change this
>> information at any time in the future. Once you enter any information on the
>> login page, then it forces an https call, so the site is totally secure with
>> your details.
>
> I admit that I'm a bit ignorant here, as I've myself never
> administered an SSL web site, but I am not convinced by this: Doesn't
> the above just mean that it switches to HTTPS *after* transmitting my
> information in the clear? Or can someone else explain if and/or how
> the above is sane?
>

>From a quick glance at the website:
You get an empty form delivered over plain http. The form submits to
an https page.
This means the content of the form is only transmitted over https.

-- 
Floor Terra 
www: http://brobding.mine.nu/

Re: Ordering CDs in Europe becoming increasingly difficult

[ropers]

I have also voiced concerns to OpenBSDEurope and I also have not
ordered OpenBSD 4.7:

On 22 May 2010 01:00, ropers wrote:
> You seem to have migrated to a new e-commerce system; I'm not sure I
> like having to create an additional account and remember yet another
> password. Before I just plugged in my credit card details and was
> done.
>
> If I do create an account with you, would I have to use the same email
> address I used when I ordered 4.6 to avail of the account? Could I
> change it later?

What really scared me however was this:

> NB: Also, on your order/checkout page, the link doesn't turn into a
> HTTPS one until *after* the user has entered their password. This
> can't be good.

To which they replied:

On 22 May 2010 11:01, Lyn Done wrote:
> Sorry that you have concerns about buying from us.
>
> We have moved to a new, more secure ecommerce system which is compliant
> under PCI-DSS, so that you need have no concerns about the security of
> entering your personal or card details. We were unable to transfer across
> the information from the old system, so that yes, you can use your previous
> details on the new site or different details - you can change this
> information at any time in the future. Once you enter any information on the
> login page, then it forces an https call, so the site is totally secure with
> your details.

I admit that I'm a bit ignorant here, as I've myself never
administered an SSL web site, but I am not convinced by this: Doesn't
the above just mean that it switches to HTTPS *after* transmitting my
information in the clear? Or can someone else explain if and/or how
the above is sane?

> I understand your worry about 'creating an account',  however you are only
> giving us the address details that we need to ship to you, and we allow you
> to enter a password, so that you can return to the site, and check orders,
> and of course when you buy from us again, you don't have to enter the detail
> again...

I find having to deal with another password and account and having to
trust another person to safeguard my personal information they keep on
file and online long after the order is fulfilled much more annoying
than having to type in my address and payment details again. Some
people find it more convenient to create additional accounts, or even
log in with their Google or Facefook accounts (gah! yeuch!). If
anything, it should be my choice whether I want to do that.

/my 2 cents

regards,
--ropers

Re: Ordering CDs in Europe becoming increasingly difficult

[Andres Genovez]

Hi, well to say: ComputerShop even ship to Banana Republic (Ecuador) South
America, It takes a week, its quickly (i am serious) :)

--
Atentamente

Andris Genovez Tobar / Sistemas
Personal:  andresgeno...@gmail.com
http://www.crice.org

Re: Ordering CDs in Europe becoming increasingly difficult

[Kevin Chadwick]

Worked fine fro me in firefox at 4.7 release time, though I couldn't get
the order placed via my symbian phones browsers. After a few tries I got
through to visa verification and then it went nowhere. Not sure if
that's visas fault, as I usually avoid using my phone for ordering.

Re: Ordering CDs in Europe becoming increasingly difficult

[Benny Löfgren]

Jona Joachim wrote:

Hi,
I've been buying every CD release over the last couple of years. I
purchased 4.6 from openbsdeurope.com and it was just as comfortable as
with Wim the years before.
However I haven't purchased 4.7 yet because the ordering involves too
much hassle.
openbsdeurope.com now requires you to create an account in order to
place an order, that's really annoying. On top of that the regex they
use to verify your e-mail address is flawed.

I read http://www.openbsd.org/orders.html in order to find shops in
France (where I live) that carry the OpenBSD CD sets.
There are 2 listed:
- http://www.eyrolles.com/
  I couldn't find OpenBSD in their online shop.

- http://www.lmet.fr/
  They sell the CDs for 57 EUR compared to 38 EUR for openbsdeurope.com.
  They also want you to create an account.

I could order from the Computer Shop of Calgary but that would involve
big shipping costs.

Ordering the CD sets just isn't as much fun anymore as it used to be.


I would have to agree with your observations. I did order the 4.7
release and some other stuff from openbsdeurope.com, and it was anything
but easy. The stuff did arrive in time though, so with that I have 
absolutely no complaint!


Here's a copy of my views on the "user experience" they present. I had
to cram it into a small HTML form window on their site:

8<8<8<8<8< (cut)

Hi!

I just made a purchase of OpenBSD 4.7 and some assorted stuff (order no
xxx), and while struggling with the ordering process I found some bugs
in your system that you might want to look into for improving the
"customer experience".

I don't know how the formatting will work in this small text window, but
here goes:

- Can't enter international phone numbers (+468, +46707), the system
complains of "must enter UK area (01, 02) phone number" (or something
similar) although I've specified Sweden as country.

- Can't use international characters (although you've noted that
yourself already). This is actually more than a nuisance, since these
characters are a natural part of our language. Imagine if someone told
you that you could not use for example the letters E, S and P, wouldn't
you find that highly disruptive?

- Can't check the box for delivery insurance until I've clicked "I have
read and agree to the terms of sale" (for the SECOND TIME!), and that
click box is on the very lowest portion of the page. Unintuitive! And
please don't make the customer agree to the terms of sale more than once.

- The URL to the Terms of sale (on both pages where one should agree to
them...) is incorrect, yielding an error page on my browser.

This is the one you link to that doesn't work:

http://www.shop.openbsdeurope.com/terms.html

Either of these work:

http://www.openbsdeurope.com/terms.html

http://shop.openbsdeurope.com/terms.html

- On the final "Payment Details" page, you state the transaction fee
when paying via Bank Transfer to be GBP -2.11, a negative value. I
seriously doubt you will refund me GBP 2.11 if I pay by Bank Transfer. :-)

Feel free to contact me if you have any questions or comments.

Best regards,

Benny Lofgren
Internetlabbet AB (www.internetlabbet.se)
Sweden

(And when submitting this form I again stumbled on the "Invalid
characters in response" thing due to the fact that I accidentally wrote
my name as it should be written (I have a letter o with diaeresis in my
last name) and not the way you want it.)

8<8<8<8<8< (cut)


--
internetlabbet.se / work:   +46 8 551 124 80  / "Words must
Benny Lvfgren/  mobile: +46 70 718 11 90 /   be weighed,
/   fax:+46 8 551 124 89/not counted."
   /email:  benny -at- internetlabbet.se

Re: Ordering CDs in Europe becoming increasingly difficult

[Jona Joachim]

On 2010-07-08, OpenBSD Europe Orders  wrote:
> Jona Joachim wrote:
>> Hi,
>> I've been buying every CD release over the last couple of years. I
>> purchased 4.6 from openbsdeurope.com and it was just as comfortable as
>> with Wim the years before.
>> However I haven't purchased 4.7 yet because the ordering involves too
>> much hassle.
>> openbsdeurope.com now requires you to create an account in order to
>> place an order, that's really annoying. On top of that the regex they
>> use to verify your e-mail address is flawed.
>
> We see it another way. When we used PayPal exclusively people purchased 
> and _then_ emailed us asking for an address change because they hadn't 
> bothered to update their PayPal information. 'On top of that' we had 
> people _not_ wanting to use PayPal but other various methods, bank 
> transfer, terminal etc etc...
>
> Please tell us how to win?

I didn't mean to sound rude. It's just that remembering yet another
password for an account I use once or twice a year is really annoying
especially when it could be easier. You could have a form where the
user can enter his address or alternatively hit a "use paypal address"
checkbox or something like that.
I like the KISS principle of the "SpongiForm" ordering system used on
openbsd.org.

> If you had emailed us we would have just taken your order via email and 
> allowed a PayPal payment... like many others have. I will make this 
> very, very clear from the home page.

I didn't know that this was an option. I'm not a big fan of PayPal
either, I had trouble with them in the past. The easiest for me would be
a payement by credit card but I don't know if you can handle that. If
you prefer PayPal it's fine, too.
I will drop you a mail shortly to place the order.

Best regards,
Jona

-- 
Worse is better
Richard P. Gabriel

Re: Ordering CDs in Europe becoming increasingly difficult

[Nicolas P. M. Legrand]

I've bought from the computer shop directly on three occasions, I get
the CDs in the right time and I didn't felt the shipping was that
expensive. In fact, I think it was quite the same.

I'm working near Eyrolles, and I didn't saw OpenBSD sets their for a
long time. Not far from Eyrolles, the excellent book shop le monde en
tique  sell them, but they receive them some
times after official release day.

Personnaly I'll keep buying from the Computer Shop. They are nice and
efficient.

cheers,

-- 
nicolas

On Thu, Jul 08, 2010 at 01:31:26PM +0200, Andri Braselmann wrote:
> On Thu, Jul 08, 2010 at 12:21:54PM +0100, John Wright wrote:
> 
> > > Ordering the CD sets just isn't as much fun anymore as it used to be.
> > 
> > I feel the same way. 
> 
> rrright. 
> 
> Andri 

Re: Ordering CDs in Europe becoming increasingly difficult

[OpenBSD Europe Orders]

Jona Joachim wrote:

Hi,
I've been buying every CD release over the last couple of years. I
purchased 4.6 from openbsdeurope.com and it was just as comfortable as
with Wim the years before.
However I haven't purchased 4.7 yet because the ordering involves too
much hassle.
openbsdeurope.com now requires you to create an account in order to
place an order, that's really annoying. On top of that the regex they
use to verify your e-mail address is flawed.


We see it another way. When we used PayPal exclusively people purchased 
and _then_ emailed us asking for an address change because they hadn't 
bothered to update their PayPal information. 'On top of that' we had 
people _not_ wanting to use PayPal but other various methods, bank 
transfer, terminal etc etc...


Please tell us how to win?

If you had emailed us we would have just taken your order via email and 
allowed a PayPal payment... like many others have. I will make this 
very, very clear from the home page.




I read http://www.openbsd.org/orders.html in order to find shops in
France (where I live) that carry the OpenBSD CD sets.
There are 2 listed:
- http://www.eyrolles.com/
   I couldn't find OpenBSD in their online shop.

- http://www.lmet.fr/
   They sell the CDs for 57 EUR compared to 38 EUR for openbsdeurope.com.


Indeed. If you do the maths you'll see what this means to us.


   They also want you to create an account.

I could order from the Computer Shop of Calgary but that would involve
big shipping costs.

Ordering the CD sets just isn't as much fun anymore as it used to be.

Best regards,
Jona

Re: Ordering CDs in Europe becoming increasingly difficult

[André Braselmann]

On Thu, Jul 08, 2010 at 12:21:54PM +0100, John Wright wrote:

> > Ordering the CD sets just isn't as much fun anymore as it used to be.
> 
> I feel the same way. 

rrright. 

Andri 

Re: Ordering CDs in Europe becoming increasingly difficult

[John Wright]

On Thu, Jul 08, 2010 at 10:56:38AM +, Jona Joachim wrote:
> Hi,
> I've been buying every CD release over the last couple of years. I
> purchased 4.6 from openbsdeurope.com and it was just as comfortable as
> with Wim the years before.
> However I haven't purchased 4.7 yet because the ordering involves too
> much hassle.
> openbsdeurope.com now requires you to create an account in order to
> place an order, that's really annoying. On top of that the regex they
> use to verify your e-mail address is flawed.
> 
> I read http://www.openbsd.org/orders.html in order to find shops in
> France (where I live) that carry the OpenBSD CD sets.
> There are 2 listed:
> - http://www.eyrolles.com/
>   I couldn't find OpenBSD in their online shop.
> 
> - http://www.lmet.fr/
>   They sell the CDs for 57 EUR compared to 38 EUR for openbsdeurope.com.
>   They also want you to create an account.
> 
> I could order from the Computer Shop of Calgary but that would involve
> big shipping costs.
> 
> Ordering the CD sets just isn't as much fun anymore as it used to be.

I feel the same way.  I've made sure to use
https://https.openbsd.org/cgi-bin/donations to make a donation because that
is still an easy thing to do.  I will have to make do with FTP for
installations from now on.