<HTML>
<HEAD><TITLE>
User Help for the MiniVend Catalog
</title></head>
[body 1]
<IMG WIDTH=560 HEIGHT=9 SRC="eyes.gif" ALT="HELP">
<BR>
<P>
[[buttonbar 1]]
<P>
<H1>
<A NAME="toc">
Help for the MiniVend Catalog
</a>
</h1>
<HR SIZE=4>
<OL>
<LI>
<B><A HREF="#intro">Introduction to MiniVend</a></b>
<LI>
<B><A HREF="#search">Searching</a></b>
<LI>
<B><A HREF="#ordering">Ordering </a></b>
<LI>
<B><A HREF="#security">Security</a></b>
<LI>
<B><A HREF="#faq">Frequently Asked Questions</a></b>
</OL>
<A NAME="intro">
<STRONG>MiniVend</STRONG> is a full-featured electronic catalog system
(commonly known as a shopping cart) with online ordering capability and
support for SSL security.
</A>
<P>
<UL>
<LI>Users maintain a "shopping cart" for ordered items
<LI>Full support for SSL, with DES encryption of credit card
numbers on disk
<LI>Search capability
<LI>Full frames support
<LI>Works well with all browsers
<LI>Designed to be secure, runs with taint checking enabled
<LI>Built-in online help capability
<LI>Sales tax calculation (zip code and state)
<LI>Shipping calculation
<LI>Blank field checking
</UL>
<P>
<A NAME="search">
<HR SIZE=4></a>
<H2>Searching</h2>[/page]<BR>
<P>
To search for an item, just select the category of item or
enter a search specification in the text area. Then click
<STRONG>Search</STRONG> to actually perform the search. Some
of the optional items are:
<DL>
<DT><B>Artist/Title:</b>
<DD>
This is where you enter the words you want to match for your
search. To limit your search, you might use more than one
word. For instance, entering "art" will match a large
number of items -- but "art nouveau" might get you closer
to what you want.
<DT><B>Matches per page:</b>
<DD>
Pull down menu to select the limit on how many matches you
want to display per page. If you entered just the letter <I>a</I>, you
would get hundreds of matches, and you might not want to
wait while it all went over the network. Default is 25.
<DT><B>Must match all</b>
<DD>
This is the default for searches. Any words you enter must
<I>all</i> be in the catalog entry for the item to match.
<DT><B>Match any</b>
<DD>
If you select this option, an item will be matched if <B>any</b> of
the words you entered are in the catalog entry.
<DT><B>Case sensitive</b>
<DD>
Check this box if you want upper and lower case to make a
difference. The default is to ignore the case.
<DT><B>Match exactly</b>
<DD>
If it is checked, the text you type in must match exactly (except
for upper/lower case. You can also cause this behavior by enclosing
your search string in double quotes.
</dl>
<A NAME="ordering">
<HR SIZE=4></a>
[finish-order]
<P>
<H2>Order Form</h2>
The order form allows you to place an order via
email. To order, just mark the quantity in the supplied field
after you arrive (from pressing an ORDER button). The quantity
starts at 1 to begin with. If you wish to order more, just enter
the number. The part number, item description, and list price are
also displayed, and the total of the order is done for you.
<P>
Please fill out the form completely enough so that we can identify you.
If we don't have a contact name, and telephone number, we
cannot call you to confirm the order. The order will be submitted
if you fill out the form completely, or if you fill in name, company
name, and a current account number. Place your P.O. number
in the supplied blank if needed.
<P>
If you see an indication that SSL security is being used (for Netscape,
that is an unbroken key in the lower left corner of the browser
window), then you can be assured that your credit card number or
other sensitive information is encrypted as it is sent over the
Internet. You must click on <STRONG>Use Order Security</STRONG> to
enable SSL encryption. You won't be asked for your credit card number
if it is not in force.
<P>
The fields are:
<DL>
<DT><B>Your name</b>
<DD>Required field.
<DT><B>Company name</b>
<DD>This field is required unless you are a personal account.
<DT><B>Billing Address</b>
<DD>
Enter your complete billing address. If you want the item to
be shipped to another address, please use the separate form at the
bottom of the page.
<DT><B>City</b>
<DD>
Your city of residence.
<DT><B>State</b>
<DD>
Your two-letter state or province code.
<DT><B>Postal Code</b>
<DD>AKA ZIP code. Optional if you have an account.
<DT><B>Country</b>
<DD>
If outside the USA.
<DT><B>Email Address</b>
<DD>
Enter an email address if you desire emailed confirmation.
Your credit card number will <I>never</I> be sent by email, even
on our local network.
<DT><B>Daytime phone number</b>
<DD>
Needed for a phone confirmation.
<DT><B>Nightime phone number</b>
<DD>
Helpful if we can't reach you at the other number.
<DT><B>FAX number</b>
<DD>
Needed for a FAXed confirmation.
</dl>
<A NAME="security">
[finish-order]
<HR SIZE=4>
<H2>Security</H2></A>
MiniVend is designed to <I>securely</I> transmit your information
via SSL or SHTTP. Examine the browser status indication, and if
you see an indication that this transaction is <STRONG>secure</STRONG>,
(on Netscape it is an unbroken key in the lower left-hand corner), you
can be assured that your vital information is securely encrypted as it flies
over the Internet.
<P>
How do you know it is secure? Reference the
WWW Security FAQ</A>,
or [pagetarget help/sec_faq _self__secure]our own FAQ[/pagetarget]
and determine if you are comfortable with leaving your credit card
number.
<P>
That being said, please feel free to leave your account information
below. Your credit card number, if you decide to leave it, will only
be used to process your order, and will not be sent by email, even
on our local machine. It will be <B>encrypted</B>, only read by our order entry
software, and then wiped from the disk file as soon as that is done.
<A NAME="faq">
<HR SIZE=4>
[finish-order]
<H2>Frequently Asked Questions</H2></A>
<B>Q:</B> <I>How secure is the encryption used by SSL?</I>
<P>
SSL uses public-key encryption to exchange a session key between the
client and server; this session key is used to encrypt the http
transaction (both request and response). Each transaction uses a
different session key so that if someone manages to decrypt a
transaction, that does not mean that they've found the server's secret
key; if they want to decrypt another transaction, they'll need to spend
as much time and effort on the second transaction as they did on the
first.
<P>
Netscape servers and browsers do encryption using either a 40-bit secret
key or a 128-bit secret key. Many people feel that using a 40-bit key is
insecure because it's vulnerable to a "brute force" attack (trying each
of the 2^40 possible keys until you find the one that decrypts the
message). Using a 128-bit key eleiminates this problem because there are
2^128 instead of 2^40 possible keys. Unfortunately, most Netscape users
have browsers that support only 40-bit secret keys. This is because of
legal restrictions on the encryption software that can be exported from
the United States (The Federal Government has recently modified this
policy on following the well-publicized cracking of a Netscape message
encrypted using a 40-bit key. Expect this situation to change). <P>
In Netscape you can tell what kind of encryption is in use for a particular
document by looking at the "document" information" screen accessible
from the file menu. The little key in the lower left-hand corner of the
Netscape window also indicates this information. A solid key with two
teeth means 128-bit encryption, a solid key with one tooth means 40-bit
encryption, and a broken key means no encryption. Even if your browser
supports 128-bit encryption, it mayse use 40-bit encryption when talking
to older Netscape servers or Netscape servers outside the U.S. and
Canada.
<P>
<HR>
<B>Q:</B> <I>My Netscape browser is displaying a form for ordering merchandise
from a department store that I trust. The little key at the lower
left-hand corner of the Netscape window is solid and
has two teeth. This means I can safely submit my
credit card number, right?</I>
<P>
Not quite. A solid key with two teeth appears indicates that SSL is
being used with a 128-bit secret key and that the remote host owns a
valid server certificate that was certified by some authority that
Netscape recognizes. At this point, however, you don't know who that
certificate belongs to. It's possible that someone has bought or stolen
a server certificate and then diverted network traffic destined for the
department store by subverting a router somewhere between you and the
store. The only way to make sure that you're talking to the company you
think you're talking to is to open up the "Document Information" window
(from the File menu) and examine the server certificate. If the host and
organization names that appear there match the company you expect, then
you're probably safe to submit the form. If something unexpected appears
there (like "Embezzlers R Us") you might want to call the department
store's 800 number.
<HR>
<B>Q:</B> <I>Yes, all that is fine, but what about your software? Won't
the number stick around on the disk forever?</I>
<P>
The SSL encryption will take care of network transmission. But we
don't want to make it easy for just anybody, even those with access
to our system, to view your number. The number is encrypted before
ever being written to a file.
<P>
First of all, after you enter your number, it is kept in memory only until
until it is encrypted. At that time, it is scrubbed from the program's
memory. The now-encrypted card number (with the password only known
to our order entry personnel) is then written to a file with
permissions set so only the program can get at it.
<P>
And the program will never send even the encrypted number via
the network, only write it to disk.
<P>
This behavior will be followed by the MiniVend program as long as
the number is placed in a field named <B>credit_card_no</B> -- you can
view the source of the order form to ensure that. Your expiration
date is also encrypted.
<P>
After the number is written, if you actually place the order, the order
information will be saved in that file only until we process your order with
our ordering system, usually the same or next business day. At that time,
the encrypted number will be overwritten with data, to make sure it is
wiped from the disk, then the order information deleted.
<P>
If you have entered your credit card number and decide <I>not</I> to
submit your order, the <I>encrypted</I> number will remain on disk for
no more than one day. At that time, the sessions on the system that are
older than one day will be expired, after any encrypted
<B>credit_card_no</B> fields are overwritten with meaningless data, and
removed from the session database.
<P>
If you wish, you can press the button on the order form which is labeled
<B>CANCEL</B>, and the encrypted information will be wiped immediately.
<P>
If you would like more details, please send mail to the
<A HREF="mailto:webmaster">webmaster</A>.
<P ALIGN=CENTER>
[buttonbar 0]
</body>
</html>