Called Lunarpages Sales, and they insist I need to a certificate(which is expensive).

Called EasyCGI Sales, and they insist I do not need a certificate. All they say I need is to use their "Shared SSL."

To clarify for you WHT people, all that is needed is to send Credit Card # and Expiration Date using a secure HTML form to an email address.

We do not have any interest in processing/collecting payment online, as in this case it is easier to handle in our office doing it manually.

Thank you. Hopefully I can get a solid answer and confirmation from at least a couple posters.

Trying to avoid having to cancel a host after signing up by clearing this up beforehand. :)

Are you sending these cc#'s in an excrypted form through email? It soesn't matter if the data is collected on a secure form, email is still wide open if not encrypted.

I realize this is a bit of a double standard. This is actually for a someone I'm setting up web design for. I explained the obvious email vulnerabilities to them, but their response hasn't changed. All they care about is seeing the little bright lock in their browser window saying it is secure :) Personally I realize this is a false sense of security, but...

Thanks for getting back to me. So does this need a certificate?

Originally posted by iGabe
...This is actually for a someone I'm setting up web design for. I explained the obvious email vulnerabilities to them, but their response hasn't changed.

As a web designer and presumed upstanding member of the Internet community, do you feel any sort of responsibility about this sort of thing?

If your client's customers think their cc# is secure, is it appropriate from a moral point of view for you to allow it to be sent in the clear?

If your client is nailed by Visa for doing this ($100,000 USD per occurance for a first offence) what would your liability be?

I read my response again, and I realize that this doesn't make me out to be a very good and ethical designer here.

I am going to call them right now and emphasize this and post after I talk with them. Thank you Sightz for beating this into my head.. I appreciate it.

Also I actually didn't even think that Visa would nail them for this.. their site was designed by someone else and right now the form info is sent with the simple "mailto:" tag. Crazy. Anway, they might not be happy to hear this, but better late than never.

Here's Visa's Cardholder Information Security Program page for them to read. Scary. (although I was wrong, it's only $50K for a first offense).

http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html

You should never send any CC information by e-mail.

If you need such informations, you should have a database or something connected to that form your going to use.

And ofcourse you should encrypt this type of info in your database.

If you use a shared SSL or you buy your own, thats not so important, both will work for you, but I thin with the shared SSL you will not be able to hold your visitors on your domain ? I don't know, if so then some cc users will maybe not trust that form if they are redirected to another domain.

:)

Current idea, courtesy of "Ralph" of DreamHost.com's Support team, is to use soupermail.sourceforge.net to encrypt the form using PGP and then set up the email client with the key to decode the information. Brilliant idea.

Once I get a hold of my client(tried calling, not there right now) I'll explain her options. Certifcate or PGP or etc. Thanks again you guys for your help.

And yes Trinitron you're right about the shared SSL needing to be on different domain.

Look forward to me posting again once I get a hold of my client.

Cheers.

Well you do need the SSL on the website. The SSL will encrypt the data between the browser & the server. This will also help the user to see the data is being encrpyted.

Ask them to email you their credit card number? Will they? Chances are very likely they will not.

I think ev1servers was offering certificates for US$4.95, that should be within budget :D

Not to sound rude Corey, but at the moment client is still getting orders using a form that submits data with an archaic "mailto:" tag. So to answer your question, yes, they apparently will and they do submit CC info over email ;-)

Now, obviously this is very very bad and I am still trying to get a hold of them a.s.a.p.(probably won't talk until after weekend considering they didn't seem to be available today).

And I just checked out the ev1 offer. Thanks Brianoz. A little hesitant over browser incompatibility though.. I'll ask client for web site stats to see how many of her visitors use older browsers. If not too many, I'll propose the idea.

Okay, so... like... here's a scary thought: You've got a little time on your hands one day and you decide to peruse the fora here at WebHostingTalk, and you happen across this thread (the one you're reading right now). Realizing that other participants herein have got it handled and will, no doubt, get iGabe all squared away sooner or later, you decide not to comment and you simply shake your head in disbelief and move on.

A few hours later you stumble across a web site that's selling something you want and have been meaning to buy for some time now, and so you enthusiastically key-in your credit card data and effect the purchase. A small, satisfied grin comes across your face as you click on the "Submit" button and think to yourself, "Man, am I glad I finally took a moment to do that! I've been meaning to get one of those things, and now I'll finally have one arriving by UPS in just a matter of days;" but then no sooner does that happy thought waft through your brain when, suddenly, it is summarily squashed in an instant as you happen to notice the words, at the very bottom of each and every page of the site from which you just made your purchase, "Site Design by iGabe."

Picture it.

Kinda' slams your a__hole shut just to think about it, doesn't it?

Stop cutting corners, iGabe -- or at least proposing various ways to do so. The stakes are too high. Do it right, or don't do it at all! This is a fiduciary (http://www.google.com/search?hl=en&q=define%3Afiduciary) responsibility you're taking-on by building this site and daring to handle credit card data. There ain't no pussy-footin' around allowed in this highly sensitive area. Make your client understand that there's only one proper, ethical, and truly secure way you'll do this and if that's not acceptable then your client needs to find another designer (who can then come back here and start another thread like this and be given the exact same advice).

Posted by iGabe:
...at the moment client is still getting orders using a form that submits data with an archaic "mailto:" tag. So to answer your question, yes, they apparently will and they do submit CC info over email ;-)

Now, obviously this is very very bad and I am still trying to get a hold of them a.s.a.p.(probably won't talk until after weekend considering they didn't seem to be available today).
Umm... well... in the meantime, could you provide the site's URL here so we can all set up packet sniffers on it? Some of us need a few extra credit card numbers we can use for fraudulent purchases this weekend... and this sounds just perfect!


:rolleyes:

First: I don't know what site you're surfing, but no ecommerce site I've ever designed has had the words "Site Designed by iGabe" ..that's not my company, so stop it.
---------------

I don't really understand why you've decided to slander me. I made it very clear that the current site with the crazy "mailto:" problem was not done by me or anyone I know. I met this client earlier this week for the first time. She's had the site up for at least 2 years(well, says Copyright 2002 so that's my guess) before this.

This client came to my web design company asking us to update some content. I casually surfed around her site(as I do with all new web design client asking for a redesign) and discovered the mailto: vulnerability and explained it's failures to her.

Being a generally good person, I did my best to explain why it is bad. She then said she doesn't want a merchant account(or Paypal etc). She insisted very clearly on receiving it by email and processing everything manually as they always have done.

Being she is a client, I said 'Yes, sure' and went about trying to figure out how to do it securely per her request. That's when I called various hosts asking for help, and then started this thread.

Before this, I had only set up sites with Paypal and other merchant services, so when my client asked to just have SSL, none of what I've learned in this thread occurred to me.

Now why you've decided to mock me for going on WHT for trying to learn more about securing a site is beyond me.

I came here to learn. Got very useful answers which I thanked the previous posters for. Told everyone I was going to talk with my client and explain everything a.s.a.p. then post what happens.

Then DesElms decides he wants to scream and mock me

Originally posted by iGabe
First: I don't know what site you're surfing, but no ecommerce site I've ever designed has had the words "Site Designed by iGabe" ..that's not my company, so stop it. I don't really understand why you've decided to slander me.No one is slandering you, iGabe, so calm down. I was only trying -- using sarcasm -- to make some points. Take a giant step back from it all and try to see the bigger picture that I was proffering.

Oh... and by the way: It's "slander" only when it's spoken. When it's written, it's "libel." And nothing I've written here is libelous -- or even insulting, if you take it as I intended it -- so get a grip.

Originally posted by iGabe
I made it very clear that the current site with the crazy "mailto:" problem was not done by me or anyone I know. Understood. I'm merely trying to put an end (or to suggest, strongly and via the sarcasm vehicle, that there be an end) to all this useless chatter about doing it by any means other than the absolutely correct way. That was my point... nothing more.

Originally posted by iGabe
Being a generally good person, I did my best to explain why it is bad. She then said she doesn't want a merchant account(or Paypal etc). She insisted very clearly on receiving it by email and processing everything manually as they always have done.Okay, now it's your turn to stop it. Your thread-starting post speaks for itself. Res ipsa loquitur. You came here trying to find a way around what everyone told you was the only right way to do it; and at one point you even admitted, and I quote: "...and I realize that this doesn't make me out to be a very good and ethical designer here."

Originally posted by iGabe
...I said 'Yes, sure' and went about trying to figure out how to do it securely per her request. That's when I called various hosts asking for help, and then started this thread.That's terrific. Hopefully you're learning something from it. But in the meantime, please pardon those of us with zero-tolerance for security nightmares waiting to happen; and for talk of constructs -- even in the hypothetical -- which virtually ensure that someone's privacy will be compromised or, worse, financial situation will be damaged. People who have never actually been hurt by credit card fraudsters are often very cavalier about the possibilities and forget about the real human costs.

Originally posted by iGabe
Now why you've decided to mock me for going on WHT for trying to learn more about securing a site is beyond me.Again, I was merely, through the effective vehicle of sarcasm, trying to point out the folly of all options other than the only right way to do it; to try to help bring your search to its rightful end so you can just go out and do it and stop exploring options that, if you are left with the misimpression that they are okay, you may implement and then, hopefully only inadvertently, hurt people.

And, anyway, it was sarcasm. It was even labeled as sarcasm. And it really shouldn't have taken a terribly sophisticated sense of humor to understand it. But, then again, who knows.

Originally posted by iGabe
I came here to learn. Got very useful answers which I thanked the previous posters for. Told everyone I was going to talk with my client and explain everything a.s.a.p. then post what happens.I cannot tell you how happy that makes me. Now, in addition, perhaps you realize how really important it is to walk the straight-and-narrow with these sorts of issues and not fool around too much -- at least not until you're somewhat more expert at least with what already works -- with creative alternatives.

Originally posted by iGabe
Then DesElms decides he wants to scream and mock me I say, again: Get a grip. Step back and try to see it for what it was, not what you seem to think it was. No harm was intended. Getting your attention -- big time -- was intended. But no harm. Try to see that... and try to get the message that I, too, am trying to convey to you so that you may learn from it as well.

Good luck to you. Let's not turn this into an argument. Get a thicker skin. You sound young. If so, trust me: Many more moments like this lie in your future. Learn to see them for what they are, not what they aren't, and return volley appropriately. You'll go far!

Yea it's Friday night and this may not be the best time to post :-) I replied a bit fast.. saw red and replied without fully taking in what you wrote. Forgive me ;)

Originally posted by DesElms You came here trying to find a way around what everyone told you was the only right way to do

Actually EasyCGI said I have nothing to worry about. Instructed me to sign up for basic plan right away. Guy on phone told me Shared SSL was all I need ;) That's why I believe I originally posted. Was getting confused because 3 different companies were telling me 3 different things and so I looked to WHT for the final answer :)

Anyway... have a nice night... I need to get out.. :stickout:

edit: Slightly worried EasyCGI might get offended. In 20/20 hindsight I may not have explained clearly enough what I was needing -- so their answer might have actually been good and honest.

Originally posted by DesElms
Veritas nihil veretur nisi abscondi.
Veritas nimium altercando amittitur.[/B]
From 'the rules' (http://www.webhostingtalk.com/misc.php?s=&action=forum-rules)
"All publicly displayed messages are limited to the English language. This includes posts, titles, signatures, as well as any attachments or other forms of public display."

Actually, to be realistic about it, it used to be very common for an SSL frontend to simply email credit card order info to the merchant for manual fulfilment, and I'd say it still is very common.

It amuses me that discussion of credit card security often centres around SSL certificates, when in reality that actually helps very little. The worst sin to commit with credit card information is to store it, even in an incoming mailbox. That's where it's most likely a crook will grab it.

To be realistic, credit card numbers are VERY VERY unlikely to be sniffed over the internet. Now that switching technology is used everywhere and creates a private virtual circuit between a host on a segment and a router, it's become almost impossible to sniff a connection, and it's actually way, way more likely that a hacker would compromise a host and insert a sniffer in the program flow so that it gathered credit card numbers, there's little that can be done to intercept plain text credit card packets over the internet. However, public perception is that the little padlock means everything is safe. So go with public perception, for $4.95 you can't go wrong (I beleive that cert will work with most, if not all, modern browsers, despite the low price tag, anyone who knows for sure feel free to jump in!) - and of course, there is a little extra security afforded by the encrypted communication and that's worth it.

Note: the point here is that SSL actually provides little protection despite the user perception - not that SSL shouldn't be used, of course it should. However, the real safety is in how the data is protected at both endpoints, and often we don't serve ourselves well because we beleive that SSL will protect all and thus ignore what we do with the CC info when we get it!! So for instance, not storing credit card numbers unencrypted is a major objective, and the idea above of using PGP based email would work really well for that!

:)

Originally posted by sightz
From 'the rules' (http://www.webhostingtalk.com/misc.php?s=&action=forum-rules)
"All publicly displayed messages are limited to the English language. This includes posts, titles, signatures, as well as any attachments or other forms of public display." You forgot my use of "Res ipsa loquitur" in one of my posts, here, too. Are you suggesting that one may not use time-worn sayings in LATIN -- a dormant language so important to English that until not too many years ago it was virtually impossible to graduate even from high school without having taken at least a little of it?

In Latin: Veritas nihil veretur nisi abscondi.
In English: Truth fears nothing but concealment.

In Latin: Veritas nimium altercando amittitur.
In English: By too much altercation truth is lost.

I have been posting here for nearly four years -- a veritable eternity in Internet terms; and long enough ago to remember what these forums were like before small-minded, officious knuckleheads began silencing those with whom they do not agree by repeated, unnecessary and inappropriate citing of "the rules."

Those two Latin maxims -- among the most common and traditional of legal phrases used routinely in everyday ENGLISH speech and writing; and sage wisdom, both of them -- have been in my signature for nearly four years.

My posts have always been informative, helpful and not abusive (but, at the same time, never suffering of fools).

You and I both know that the rules to which you refer were intended to keep these fora, generally, in English; to keep entire conversations (or at least substantially most of a conversation) from happening here in any language other than English so that every reader can understand it and learn from it.

The rules to which you refer were not intended to rob the English language of commonly-used words and phrases that just happen to have non-English historical roots...

...or would you like me to list here a few hundred words and phrases that you, yourself, use everyday and have used in these very fora which come directly from non-English languages and remain in their non-English state even when used in common English speech and writing?

Sometimes the officious take things too far. This is clearly one of them. Sometimes a thing is just too ridiculous to be considered. Your assertion that this forum's rules prohibit my perfectly reasonable signature which no one before you, and at this moment, has ever questioned here before -- including every single moderator, who clearly had no problem with it -- is just such ridiculousness.

In Latin: Res ipsa loquitur.
In English: The thing speaks for itself.

If the moderators here would apply the rule you have cited to stop even the use of time-worn and respected Latin phrases in appropriate ways both in the body of postings as well as in signatures, then someone around here just doesn't get it...

...and, if so, then I'll be more than happy to make this my last posting in a forum that, until this moment, had my utmost respect and has always been treated by thusly; but if such rules as that which you have cited are to now begin to rule this place, then this forum clearly has no respect for its members.

:angry:

Gregg - "Nil Carborundum Illegitimum" :)

Originally posted by brianoz
Gregg - "Nil Carborundum Illegitimum" :) I think you meant, "Nil Carborundum Illegitimus," no? (Tenses sometimes throw me.)

And by the way, I agree with everything you wrote earlier about the efficacy of SSL versus the whole business of storing credit card data and the real dangers of that! Good post.

And, oh, for sightz's benefit:In Latin: Nil Carborundum Illegitimus.
In English: Don't let the bastards get you down.And, no, brianoz, I'll try not to. Thanks.

Originally posted by iGabe
Not to sound rude Corey, but at the moment client is still getting orders using a form that submits data with an archaic "mailto:" tag. So to answer your question, yes, they apparently will and they do submit CC info over email ;-)
It does not sound rude at all, but actually what they request their customers to do & what they do - are two different things actually. I have ran into this a few times. They think it is OK to receive credit card numbers via e-mail, but the owner would never send credit card numbers.

Plus they are opening themselves up to lawsuits from every consumer and possible potential customer.

Originally posted by brianoz
, and the idea above of using PGP based email would work really well for that!

Good points Branoz. Honestly I think my client is a good person who just wants to stick to what she knows. If I could secure everything with PGP and let her continue to have direct form-to-email, I think she would be very happy. Any security/ethical reasons that I should sway her to away from PGP vs a certificate(Starter SSL for example)?

StarterSSL obviously has it's limitations. A lock symbol in the browser bar is nice, but as you've said, isn't everything. PGP looks like a very interesting option.


And to Corey.. It's possible I'm giving my client too much credit here, but I really do believe they aren't too aware of how their site works. Their previous designer set up a working site which looked great, and they had no reason to suspect there was anything to worry about.

IMHO just one of those types of clients who has run a brick-and-mortar biz for years and has no idea what working on the internet really involves. The first time I talked on the phone with her, I brought up the idea of accepting payments directly online(e.g. PayPal) and she showed absolutely no interest. I think she thinks it is too complicated.

I'm hoping the $50k Visa fine link Sightz gave me earlier puts things in perspective for my client. Threat of lawsuits, etc is pretty scarry. Not intending to seriously frighten her, but it should help.

Thanks again.

iGabe, I'd use BOTH a certificate AND pgp encrypted email. The certificate isn't expensive (Comodo.com has them for US$66, ev1servers for US$5). The certificate will keep her customers happy (ie: LOOKING like it's secure!) and the PGP will act as the REAL security by keeping the credit card info in her email safe, so a thief can't steal it as they won't have the password.

Behind the scenes she can still use to form-to-email, with the minor variation that it'll be form-to-encrypted-email now.

Thunderbird does secure email out of the box I think? (And it's free, www.getthunderbird.com).

Good thinking. Feel considerably more confident in what needs to be done thanks to your help.

PGP + Certificate sounds great.

Big fan of Thunderbird. Will advise them to use it too if they aren't already :)

Originally posted by DesElms
You forgot my use of "Res ipsa loquitur" in one of my posts, here, too. Are you suggesting that one may not use time-worn sayings in LATIN -- a dormant language so important to English that until not too many years ago it was virtually impossible to graduate even from high school without having taken at least a little of it?

Wow. I've never been called 'officious' before :D

You took a number of cheap shots at a designer who had the courage to ask questions about something about which he was unclear. He had the further courage to agree to act upon our advice.

I thought I would quote the rules to show that you, with your high-falutin' dead language, were not perfect either.

Being one of a younger generation (if your 30's is young) that was never subjected to learning your 'dormant' language, I found your abuse of the forum's rules annoying.

For all I knew, you could have been calling me a scoundrel, wastrel or profligate. :)

Originally posted by sightz
Wow. I've never been called 'officious' before :DAnd "small-minded" and a "knucklehead," too. Don't forget those. But I was angry then and I'm not now so I no longer think you're any of those things. Hey... my mom was right: Time really does heal all wounds.

Originally posted by sightz
You took a number of cheap shots at a designer who had the courage to ask questions about something about which he was unclear. He had the further courage to agree to act upon our advice.Sarcasm, when it's done intelligently and not in some sort of "street" fashion; and when in the hands of someone who knows how to use (and not abuse) it, is a potent tool that has the power to bring any discussion to precisely the place it needs to be... and in a big hurry. When that tool is employed appropriately, as it was here -- as even its target would now appear to agree -- it is a far cry from "cheap shots." But then that brings us back to the whole "sophisticated sense of humor" thing again, doesn't it?

Originally posted by sightz
I thought I would quote the rules to show that you, with your high-falutin' dead language, were not perfect either.I said "dormant," not "dead." If it were a dead language we'd have to remove a huge percentage of your vocabulary and you'd be left with grunting and sign language just to ask for your breakfast.

And "high-falutin'?" That's funny. My dictionary doesn't list "high-falutin'" as a synonym for "educated." Maybe it's out of date.

As for perfection, is it your posit, then, that anyone who takes issue with another's perspective or viewpoint by definition proffers himself as "perfect?" I don't see the connection. And if there were a connection, in this case, at least my imperfection wouldn't actually hurt people like iGabe's would have had he not allowed this thread to advise him in the right thing to do (which it now appears he has done... and to his credit). You got so worked-up about my form that you all-but-ignored the content. Everything in life is a trade off. You should be a diplomat.

But notwithstanding that I don't see the connection, as outlined in the preceding paragraph, what I do see -- and by your own admission, here -- is that you did precisely what I wrote, earlier, that you were doing: Using "the rules" as a weapon (because it was easy) to go after my signature when, in fact, it was what I was saying and/or how I was saying it that you didn't like... which had nothing to do with my signature. And, if so, then I must tell you, sir: That's just plain cowardly. It's the sort of thing politicians and dirty trickster Republicans do. Stand-up and complain about George Bush and watch yourself end-up on an IRS audit list the following year... that sort of thing. If you have a problem with a man's words, then have the courage to make that the object of your criticism, not the color of his tie. Doing it the way you did it is the moral equivalent of shooting a man in the back in the old West. It has no honor. I would add "shame on you," but this transgression on your part, however irritated with it though I may be, simply doesn't rise to that particular castigation. But I think you get the point.

Originally posted by sightz
Being one of a younger generation (if your 30's is young)...I'm 48. But I look 58. And I feel 68. And I've got the equivalent attendance at the school of hard-knocks of one who's 78. So I figure that somewhere in there I get to call someone in their 30's "young" on at least some level -- even if the only reason is that I'm unapologetically jealous and I'd just about kill to be in my 30's, like you, again. The only comfort, if any, that I can take in any of it is the knowledge that you, too, will feel this way some day. But I digress.

Originally posted by sightz
...that was never subjected to learning your 'dormant' language,Okay... well... now I'm just confused. A minute ago you said it was "dead."

Originally posted by sightz
I found your abuse of the forum's rules annoying.Okay, stop right there, Sparky. Let's get at least one thing painfully straight, here: I did not abuse this forum's rules... nor am I now (no matter how tempted I may be to do so). That was your wholly inaccurate and retributively-motivated characterization. It was an extreme and, yes, officious nitpick citing the rules's non-English prohibition when even you knew in your heart that to do so was going too far, and was attempting to employ said rules for a purpose for which any reasonable person would agree they were never intended.

The problem, by your own admission, here, was not that my signature bothered you. I dare say it still doesn't -- especially now that you know its sage wisdom. Rather, it was that you were ticked-off about what I was saying and/or how I was saying it and you didn't know how to engage me head-on in a debate that had honor by its having addressed the real issues.

Er... wait... let me adjust that assertion: It's clear from your having taken me on, directly, and on-point, in the post to which I'm now replying -- and, to your credit, quite eloquently, too, I might add -- that you do know how; and, indeed, could have taken me on earlier, in an honorable way... and with aplomb, I suspect. But, instead, you chose the route of unholstering your weapon and taking a shot at my back after I'd said my piece and had turned to walk away... just because it was easier. Now that you know what it feels like, isn't engaging your adversary head-on, as you finally did in your post to which I'm now replying, better? [a rhetorical question that needn't actually be answered]

Originally posted by sightz
For all I knew, you could have been calling me a scoundrel, wastrel or profligate. :) Profligate? Ah ha! So you do have an education! Excellent. What a waste it is, then, that you sometimes resort to officiousness and rule-citing when you clearly have the skill to go toe-to-toe on the real issues with any man. Don't squander your gift on Dick-Cheney-like underhandedness and Karl-Rove-like dirty tricks. If you think a man is a jerk, screw-up the courage to stick with the issues and say that rather than sneaking off to call the police to report that he's also double-parked.

And as for the notion of using my signature to call you profligate names in another language, do you really think my (actually, non-existent) dislike for you rises to the level of such import that I would devote that precious space to expressing it? I mean, look, I luv ya'... but you just ain't worth it!

And, anyway, since it's been my signature for almost four years, I would have had to have been a psychic to have put an insult there knowing that we'd finally meet here all this time later! (But, if so, it sorta' takes the Boy Scout motto to a whole new level, doesn't it?)

Look, sightz, do we really need to argue here about this? I mean really? I've read your other posts. You're a smart guy... seriously. And I respect what you have to say. Is it too much for me to ask the same of you? You may not like my style, but don't resort to dirty pool to silence me. It's just not right; and judging by your other words that I've read, and the kind of person that you must certainly be in order to have written them, I think you know that.

Sorry if I offended you. It was not my intent... as I explained to iGabe who, as the object of my sarcasm, is curiously more okay with it than you seem to have been. Go figure.

You should be a lawyer! Advocacy -- howsoever indirectly administered -- seems come naturally to you.

Perhaps after this experience, sticking to the real issues will, now, too.

Peace, sightz. Okay? Peace.

Pompously posted by DesElms
Blah blah blah... knucklehead... Blah blah blah... Sarcasm... Blah blah blah... proffers... Blah blah blah... transgression

Peace, sightz. Okay? Peace. [/B]

I shall now consider myself soundly and thoroughly spanked. :erm:

Originally posted by sightz
I shall now consider myself soundly and thoroughly spanked. :erm: And, tell the truth... you liked it, too, didn't you? ;)

(Okay... that's enough. I'm just screwin' around. I couldn't resist.)