• We invite you to join UKWorkshop.
    Members can turn off viewing Ads!

Stiles & Bates

UKworkshop.co.uk

Help Support UKworkshop.co.uk:

Waka

Established Member
UKW Supporter
Joined
8 Mar 2004
Messages
4,489
Reaction score
7
Location
Weymouth
Good Morning All

been doing my usual browsing this morning looking for a Sorby Jig, managed to find what I wanted on the above web site.

Has anyone used their on-line shop before?

Waka
 

Waka

Established Member
UKW Supporter
Joined
8 Mar 2004
Messages
4,489
Reaction score
7
Location
Weymouth
Philly

Not sure I've copied the link correctly

Stiles & Bates, Woodturning, Woodturners, woodturning supplies, Record Power, Record Lathes, Robert Sorby, Chestnut Products, t.url>


Waka
 

Newbie_Neil

Established Member
Joined
27 Jul 2003
Messages
6,537
Reaction score
0
Location
Nottingham, England
Hi all

Copied from The List: -

"Stiles and Bates (9/5/04) - This was not a company I'd come across before as I am not into turning. The site is well presented and it seemed simple to find my way around. I was very impressed until I tried to place an order. I stopped using the site after I realised that my address details, email and telephone etc. were not being handled securely. Please note that the credit card details are handled securely.
I have received postings testifying to the good service that Stiles & Bates provide. This review is all about the experience of using a web site and also whether it securely handles your name and address as well as your credit card details. Sadly, imho, Stiles & Bates fail on the security issue.
Personally I would not buy anything from this site. Please see web site security which is further down the thread in The List."

http://www.stilesandbates.co.uk

Cheers
Neil
 

Johnboy

Established Member
Joined
22 Mar 2004
Messages
598
Reaction score
0
Location
Rochford, Essex
I have bought stuff from them, not on-line but by credit card over the phone. No problems, friendly knowledgeable sales staff and fast delivery.

John
 

Newbie_Neil

Established Member
Joined
27 Jul 2003
Messages
6,537
Reaction score
0
Location
Nottingham, England
Hi John

I should have copied this bit as well: -

PLEASE NOTE THAT THIS IS MY EXPERIENCE OF DEALING WITH A COMPANY VIA THEIR WEB SITE.
Dealing with them, in person or via the telephone, might be a totally different experience.


Apologies for the large type/colour but it came straight from The List.

Cheers
Neil
 

Waka

Established Member
UKW Supporter
Joined
8 Mar 2004
Messages
4,489
Reaction score
7
Location
Weymouth
Guys

Thanks for the advice, think I'll not use them over the web but try the phone approach.

Neil, did you ever explain to them about your concerns of ordering over the web? perhaps if they are aware of the security problem they may change.

Waka
 

Steve

Established Member
Joined
6 Nov 2002
Messages
166
Reaction score
0
Location
Welling, Kent
Mornin' All,
I can assure one n' all that the standards of security on the Stiles and Bates site are first class, and that fellow forumites need not have any worries whatsoever when purchasing through their site.
The name, address and order details are treated entirely seperately from the card details. Most companies lump them all together.
In the extremely unlikely event that their secure system was compromised, card details and all other details are together, meaning that the information can be used. If that happened on the S&B system, the information could not be used because the information is broken up.
Ironically, it is this 'heightened' security that has given rise to Neil's concerns!

There is absolutely no point whatsoever in encrypting names and addresses, since this information is already in the public domain. As we all know, every mobile phone company, two-bob timeshare outfit, double glazing firm and lord knows who else can already put their hands on our names, addresses, phone numbers, email addresses and a lot else besides. I can assure you that Stiles and Bates do not, would not and never have shared this information with any third party.

The credit/debit card details however are encrypted and stored separately on a secure server that meets international security standards AND that is independently certified by Thawte.
Very few woodworking sites can make that statement.

Also, Stiles and Bates are one of the very few woodworking sites that meet the legislation concerning selling via the web that came into force in December last year. Even some of the trusted major (and I mean MAJOR) names in woodworking have yet to meet these requirements.

Stiles and Bates do not charge your card until the day the stock is despatched! Those that know me from other threads will also know that I have suffered badly from firms charging my card, then letting me know they are out of stock. S&B simply don't do that!
Not only but also: the system used by Stiles and Bates DELETES THE DETAILS as soon as the transaction is processed. Most other companies retain these details.

I can speak with thorough knowledge of the Stiles and Bates site because my company built it for them, and we also provide the secure services that handle the (your!) card details.

Please be assured that you will go a long way before you find a company more honourable than S&B, and as their webmaster AND a woodworker, I can state that you can order through their site with complete confidence.
I do!

Steve
 

Alf

Established Member
Joined
22 Oct 2003
Messages
12,079
Reaction score
0
Location
Up the proverbial creek
Ermmm... speaking as someone who takes the trouble to be ex-directory, I'd sooner not have my address and number floating about the ether when, well, it seems it doesn't have to be. I don't know anything at all about this sort of thing, but is there any reason why those details couldn't be on a secure server?

Cheers, Alf
 

Steve

Established Member
Joined
6 Nov 2002
Messages
166
Reaction score
0
Location
Welling, Kent
Hi Alf,

I think you're confusing 'secure' with 'encrypted'.
The order details are secure - they are sent to a sever that is ringfenced and firewalled to the highest standards, and that is also monitored constantly. No one can get at 'em and they certainly aren't floating around the ether! Even the building in which the servers are housed is bomb-proof, and I kid you not.
The difference is that the details aren't encrypted or scrambled because there really is no point in doing so.
The main point is that the order details, names and address details and card details are all separated and can't be re-combined without the right code. To put it in perspective, your details are far, far more secure on the Stiles and Bates system than they are in your own home or wallet.
It's a matter of context!

Steve
 

Alf

Established Member
Joined
22 Oct 2003
Messages
12,079
Reaction score
0
Location
Up the proverbial creek
Ah, I see. I think. Told you I knew nothing about it. So when the "http" in the address line turns to "https" does that signify secure or encrypted? (Might as well try and learn something here... :roll: )

Cheers, Alf
 

Steve

Established Member
Joined
6 Nov 2002
Messages
166
Reaction score
0
Location
Welling, Kent
Hi Alf,

https stands for 'Hyper Text Transfer Protocol Secure' - and that tells you that any exchange of form-based information (eg anything you type in and submit) will be scrambled to hell, and re-constituted when it arrives on the server.

There are quite a few dodgy workarounds for this, some of which I have seen on British woodworking sites. You can only really be certain when the little padlock on your browser (bottom right) locks up, and/or when the site offers an independent security certificate from organisations such as Verisign or Thawte. The HTTPS should appear in the address bar on your browser - NOT on the web screen itself.

hope that's slightly less opaque than mud...

Steve
 

Newbie_Neil

Established Member
Joined
27 Jul 2003
Messages
6,537
Reaction score
0
Location
Nottingham, England
Hi Steve

As you know I'm very much in the Alf camp on this one.

Why is it that the transmission of the name and address details aren't handled securely? Does it add an extra layer of cost?

It seems strange that the rest of the web site is wonderful and just this one small part lets it down.

Cheers
Neil
 

mudman

Established Member
Joined
11 Feb 2004
Messages
881
Reaction score
0
Location
Trying to stay in one piece in South Wales
Just thought I'd go and have a look see for myself.
I had assumed that Steve was saying that the name and address details were still being entered via a secure server and that the credit card details were entered later and separately.
Going through a transaction, the name and address details are not entered via a secure server. I didn't go any further.
Now, you may be completely correct in that nobody can marry up the two sets of data again and so compromise the security of the credit card. However, what is possible is that people can steal your personal details and these can be used for completely different purposes.
As I said on a previous thread "I am paranoid, but am I paranoid enough?" Which means that I'm not entirely happy with my personal details not being on a secure server.
Other sites put the entire transaction on a secure server, is there any reason for not doing so here?
Another point to make is customers perceptions. You may know very well that all is okay and that no nasty person will ever be able to get hold of people's details. But, if the average user who only knows that he must never ever put any personal stuff into a web form without that little padlock being shut, can't see it, then he won't believe it to be secure and won't use it.
Anyway, that's my tuppence worth for what it's worth.
 

Steve

Established Member
Joined
6 Nov 2002
Messages
166
Reaction score
0
Location
Welling, Kent
Hi all,

I'm not sure how to explain this any further than I have already - but I'll have one last go if you'll bear with me...!

The name and address details go unencrypted on a highly protected commercial server that we'll call server A.
The card details go encrypted on a secure server with precisely the same protection as the commercial server. This we'll call server B.
The only differences are that the data on server B is encrypted, and the name element is not kept on server B.

Scenario A
You are a hacker who by some incredible stroke of luck or genius has managed to gain access to the server looking after Smiths & Chips Woodworking supplies, who use a single server.
After some work, you figure out how to use the software on that server to view the data held on it. All the customer details are there including card numbers, expiry dates, cardmember name and even the three digit security code on the back.
It's payday - bigtime.

Scenario B
You are a hacker who by some incredible stroke of luck or genius has managed to gain access to the server looking after Stiles and Bates, who use a server array.
After some work, you figure out how to use the software on that server to view the data held on it. SOME of the customer details are there - but they are incomplete and cannot be used. The three digit security number is NOT there, and the cardholder name is NOT there.
It has been a waste of time.

Further, there is no open email route to follow at all, because that is handled not just by another server, but by another service provider altogether.
This is arguably the most secure solution possible using 'everyday' web technology, and it was employed because Stiles and Bates insisted on the best for their customers.

You information is split up, sent to different servers using different routes and the sensitive data is encrypted. If anyone has seen a more secure solution, please let me know what it is because I would be delighted to learn about it!

The thing is that this should all be put in context. Your credit or debit cards details are many, many times safer on the web - even on a poor shopping site - than they are in your pocket, wallet, car, drawer or whatever.
This thread puts me in mind of troops in the trenches in WW1 worrying about whether the teaspoon is clean!

Steve
 

Newbie_Neil

Established Member
Joined
27 Jul 2003
Messages
6,537
Reaction score
0
Location
Nottingham, England
Hi Steve

I understand exactly what you are saying, but my question is why is the transmission of the name and address details not handled securely?

As I said in my previous post the rest of the site is excellent, but I would never recommend anyone order from a site that doesn't protect my name and address details.

Cheers
Neil
 

Pete W

Established Member
Joined
31 Jan 2004
Messages
911
Reaction score
0
Location
London UK
If you chaps will forgive an interruption from an innocent bystander...

Steve's view appears to be that the name and address details are handled securely because they're sent to secure servers. They are not, however, encrypted.

Neil's view appears to be that they can't be handled securely because they're not encrypted.

Perhaps you could agree to disagree?
 

Newbie_Neil

Established Member
Joined
27 Jul 2003
Messages
6,537
Reaction score
0
Location
Nottingham, England
Hi pete

Pete W":klnmuai2 said:
Perhaps you could agree to disagree?
Please forget about encryption, Steve and I both agree that the name and address details are not handled securely.

My question is when everything else is so secure, why don't they handle the name and address details securely.

The S&B site is one of the best that I have seen and I would just love to be able to give it a clean bill of health.

Cheers
Neil
 

Alf

Established Member
Joined
22 Oct 2003
Messages
12,079
Reaction score
0
Location
Up the proverbial creek
Newbie_Neil":sp1786i1 said:
Steve and I both agree that the name and address details are not handled securely.
I dunno, do you? I think Steve considers they're both handled securely enough while you (and I, if it come to that) wonder why the address can't be handled as securely as the card details... I think. Maybe. :?

Cheers, Alf
 
Top