While subscribing to Universal Sports' coverage of la Vuelta a España, I encountered a new low in web application security. Their e-commerce is conducted through a Silverlight object loaded from an unknown location on an unsecured page. However, they include an image of a gold padlock to put your mind at ease.

The average user wouldn't care, but I'm often interested to know who is receiving my credit card information. It turns out that the applet/object/movie/control (I don't know what Silverlight files are called) is loaded from universalsports.contentdirect.tv, which is owned by CSG Systems Inc. I'm tempted to fire up Charles and see what sort of obfuscation they use for security.

I would ordinarily create a single-use credit card using PayPal's Secure Card feature, but that's no longer an option. Maybe Google Checkout will step up to solve this problem.