Sundance asks for credit card info without SSL, says it has SSL anyways

Not quite true...<p>If you noted your order is processed inside an &#60;iframe&#62; element which is secured with https to <a href="https://webtix1.sundance.org/WebTixsNet/OrderFormPage.aspx?dtticks=634878250741441833" rel="nofollow">https://webtix1.sundance.org/WebTixsNet/OrderFormPage.aspx?d...</a>

actually "false, I checked that already. the iframe src is <a href="http://webtix1.sundance.org/webtixsnet/?key=RegPublic-PITW" rel="nofollow">http://webtix1.sundance.org/webtixsnet/?key=RegPublic-PITW</a> the form's action is "OrderFormPage.aspx?dtticks=634878773966587077" which means that the form submits to <a href="http://webtix1.sundance.org/webtixsnet/OrderFormPage.aspx?dtticks=634878773966587077" rel="nofollow">http://webtix1.sundance.org/webtixsnet/OrderFormPage.aspx?dt...</a><p>so the iframe isn't ssl, and the form doesn't submit to an SSL page either.<p>furthermore! even if the iframe were over ssl (which it isn't), that still wouldn't be secure. since the outer page isn't over ssl, an attacker could replace the iframe with one that has the same content but points to a non-ssl page. this is why SSL is useless unless the user checks the browser SSL indicator (the green lock in the URL bar)."