Why Create an Account?

Your account has 2 groups of information; each group is a collection of similar information that goes together. For example:

• Shipping-->All the information we need to get your order to you, such as your name, address, email, a phone number where you can be reached in case of a problem, and so on. You can create multiple shipping addresses if you wish and choose which one to use for an order.
  
• Billing-->If you want your orders shipped to your apartment in Montreal but prefer that we bill you at your secret castle in Transylvania, you can enter the necessary billing information, such as a different name, address, phone number (to speak to your manservant RiffRaff), and so on. You can also enter your credit card type and expiration info if you'd like. We NEVER store your credit card number permanently. If your shipping address and billing address are the same, you can leave this alone.

Credit Card Security

How do you know it is secure? Reference the WWW Security FAQ or the Thawte Security FAQ and determine if you are comfortable with leaving your credit card number.

That being said, please do feel free to leave your account information with us. Your credit card number, if you decide to leave it, will only be used to process your order. It will be encrypted, only read by our order entry software, and then wiped from the disk file as soon as that is done.

Store Address & Phone Numbers

Shipping Information

Domestic Shipping in Canada:

Regular Post	Your order will be shipped using Canada Post and usually takes 3 to 5 business days to reach you.
Canpar	Your order will be shipped using Canpar, a courier service that provides order tracking and usually takes less time than Canada Post to reach you.

Shipping to the United States:

Parcel Post Surface	Your order will be shipped using Canada Post's Parcel Service (Surface) and usually takes 10 to 14 business days to reach you.
Parcel Post Air	Your order will be shipped using Canada Post's Parcel Service (Air) and usually takes 7 to 10 business days to reach you.
Parcel Post XPressPost	Your order will be shipped using Canada Post's Express Parcel Service and usually takes 3 to 5 business days to reach you.

Shipping to International destinations:

Parcel Post Surface	Your order will be shipped using Canada Post's Parcel Service (Surface) and usually takes 21 to 28 business days to reach you.
Parcel Post Air	Your order will be shipped using Canada Post's Parcel Service (Air) and usually takes 14 to 21 business days to reach you.

Online Security

Not quite. A solid key with two teeth appears indicates that SSL is being used with a 128-bit secret key and that the remote host owns a valid server certificate that was certified by some authority that Netscape recognizes. At this point, however, you don't know who that certificate belongs to. It's possible that someone has bought or stolen a server certificate and then diverted network traffic destined for the department store by subverting a router somewhere between you and the store. The only way to make sure that you're talking to the company you think you're talking to is to open up the "Document Information" window (from the File menu) and examine the server certificate. If the host and organization names that appear there match the company you expect, then you're probably safe to submit the form. If something unexpected appears there (like "Embezzlers R Us") you might want to call the department store's 800 number.

Q: How secure is the encryption used by SSL?

SSL uses public-key encryption to exchange a session key between the client and server; this session key is used to encrypt the http transaction (both request and response). Each transaction uses a different session key so that if someone manages to decrypt a transaction, that does not mean that they've found the server's secret key; if they want to decrypt another transaction, they'll need to spend as much time and effort on the second transaction as they did on the first.

Netscape servers and browsers do encryption using either a 40-bit secret key or a 128-bit secret key. Many people feel that using a 40-bit key is insecure because it's vulnerable to a "brute force" attack (trying each of the 2^40 possible keys until you find the one that decrypts the message). Using a 128-bit key eleiminates this problem because there are 2^128 instead of 2^40 possible keys. Unfortunately, most Netscape users have browsers that support only 40-bit secret keys. This is because of legal restrictions on the encryption software that can be exported from the United States (The Federal Government has recently modified this policy on following the well-publicized cracking of a Netscape message encrypted using a 40-bit key. Expect this situation to change).

In Netscape you can tell what kind of encryption is in use for a particular document by looking at the "document" information" screen accessible from the file menu. The little key in the lower left-hand corner of the Netscape window also indicates this information. A solid key with two teeth means 128-bit encryption, a solid key with one tooth means 40-bit encryption, and a broken key means no encryption. Even if your browser supports 128-bit encryption, it mayse use 40-bit encryption when talking to older Netscape servers or Netscape servers outside the U.S. and Canada.

Q: My friend says that none of this stuff is safe. What should I believe?

When credit cards first came out in the late 1960s, the cardholder was liable for all losses occurring as a result of a stolen card. The credit card companies soon discovered that fear of large losses prevented people from using or keeping the cards. For a long time now, you have been liable (in most states) for at most $50 of loss as a result of credit card fraud.

Using your credit card on the Internet is no different than giving it to a restaurant. The presence of a warning-free SSL security system ensures that the company you are dealing with has passed background checks -- just like the presence of a Verifone credit-card checking device gives a good indication that the restaurant can actually accept credit cards. Look for a server certified by Verisign, Thawte, or another well-known certifying agency. If a server's SSL certificate is so signed, you have done your job to verify authenticity.

We don't recommend that you send your credit card number un-encrypted over the Internet. Just like you know not to give your card number to anyone who calls you -- you make sure you know who you are talking to first -- you shouldn't send your card number over the Internet until you are certain that the company you are dealing with has made the effort to ensure security. Presence of a warning-free SSL security system indicates that rather considerable effort has been made. Look for the lock, key, or blue line, and you should be safe.

Q: Yes, all that is fine, but what about your software? Won't the number stick around on the disk forever?

The SSL encryption will take care of network transmission. But we don't want to make it easy for just anybody, even those with access to our system, to view your number. Your credit card number is encrypted with GPG (GNU Privacy Guard) encryption before ever being briefly written to a file during processing of your order.

First of all, after you enter your number, it is kept in memory only until until it is encrypted. At that time, it is scrubbed from the program's memory. The now-encrypted card number (with the password only known to our order entry personnel) is then written to a file with permissions set so only the program can get at it.

Thawte