TORONTO – A Geneva-based security firm said this week that some of the top e-commerce websites in the world may be leaving users vulnerable to security risks like identity theft and phishing attacks by not defaulting their customer-facing webpages to Hypertext Transfer Protocol Secure (HTTPS).
But are non-secure webpages really a threat to web users? Security experts aren’t so sure.
High-Tech Bridge released a study this week concluding that 98 per cent of the top 100 global e-commerce sites failed to automatically direct users to HTTPS versions of their site when they initially visited the webpage – meaning that customers were surfing non-secure webpages before they logged in to any customer accounts.
Most sites would default to an HTTPS connection when users logged in, protecting password and payment information. Only seven of the 100 sites studied did not.
HTTPS – or HTTP Secure – makes websites more secure by adding encryption to user information. The technology has been traditionally used by online shopping sites to protect customer’s payment information.
High-Tech Bridge found that only 27 per cent of the websites they looked at had a secure HTTPS version for all customer-facing webpages.
This means that “non-critical” customer information – such as items in their shopping cart, or search history on the website – may be visible to hackers. And while most consumers may not think this information could be hurtful, High-Tech Bridge security experts argue that hackers are still interested in this information.
“Unfortunately, these websites seriously underestimate the importance of encrypting user-transmitted data beyond logins and passwords, and this is a very dangerous approach to privacy management,” said Marsel Nizamutdinov, chief research officer at High-Tech Bridge.
- Invasive strep: ‘Don’t wait’ to seek care, N.S. woman warns on long road to recovery
- Ontario First Nation declares state of emergency amid skyrocketing benzene levels
- Do Canadians have an appetite for electric vehicles? Experts are divided
- Nearly 200 fossil fuel, chemical lobbyists to join plastic treaty talks in Ottawa
“In many cases, if such ‘non-critical’ data is stolen by third parties, it may not just harm the buyer, but the online store as well.”
Charles Henderson, director at U.S.-based security firm Trustwave, agreed that from a privacy standpoint he would love to see e-commerce sites default to secure connections, but argued that for efficiency reasons it’s not practical for e-commerce firms.
“There are many things that you can do via an e-commerce website that don’t necessarily need to be on an SSL connection,” Henderson told Global News.
“That’s why, for various reasons, a lot of companies choose to split SSL and non-SSL.”
Henderson also noted that there is a very low chance that a consumer may come across a hacker looking to gain information from an online shopping cart.
“It’s probably not the highest priority for attackers. It’s not like there is an epidemic of hackers looking to get information from your shopping carts,” Henderson said.
“Computer climate is a very organized business; people want return on investment. The return on investment for sitting in a coffee shop, seeing what is in people’s shopping carts is pretty low.”
But from a privacy standpoint Henderson said he sees the point of High-Tech Bridge’s study.
“From a privacy standpoint, I’d like everything I do to be private it’s just not always practical for e-commerce firms,” he said.
On the other hand, Tamir Israel – cyber-security expert and staff lawyer at the Canadian Internet Policy and Public Interest Clinic (CIPPIC) – said that though SSL connections won’t protect consumers against all online threats, using HTTPS connections on customer-facing webpage’s benefits everyone.
“It is the silver bullet that is going to protect customers from all intrusions? No. But it does provide a few positive things that we thought were worthwhile,” Israel told Global News.
“For example we made our own website always on SSL – we did it because it cost us almost nothing to do, and it provides some additional protection and security. It’s just a best practice that is really easy to do, with minimal cost and effort.”
Israel noted that SSL also helps protect customers from possible phishing attacks where the user may be tricked into visiting a website that is malicious – for example, a user follows a link to a product page that is set up to mimic that of a retailers.
He added that CIPPIC chose to make their website “always-on SSL” because it cost them next to nothing and it provided added protection to both the site and its visitors.
Ilia Kolochenko, CEO of High-Tech Bridge, echoed that sentiment when discussing the outcome of High-Tech Bridge’s study.
“I still have the impression that e-commerce today is stuck in 2003 or 2004. Back then, HTTPS wasn’t as common because we had lots of mobile phones and PDAs that didn’t support HTTPS, therefore a lot of e-commerce sites wouldn’t make it default,” Kolochenko said.
“Today any mobile phone, any iPad, any PC or Mac supports HTTPS without any difficulty at all.”
He noted that for companies to enable HTTPS my default is, “Cheap, fast, and easy.”
Henderson suggests that users download a plug-in such as “HTTPS Everywhere,” which forces sites to use an HTTPS connection – even if one isn’t available – on both Google Chrome and Mozilla Firefox.
Some web browsers also allow you to check and see if the site you are using is encrypted.
On Google Chrome if you see a green bar and lock symbol in the top left hand side of your browser bar it means the site is using HTTPS. By clicking on the lock symbol Chrome will display a message that says, “Identity verified.” It will also display information about the site’s SSL validation.
If the top left hand side of the browser bar shows a white box with a folded over corner it means the site is not encrypted – if you click on it you will see a message that reads “Identify not verified.”
High-Tech Bridge compiled its own Top-100 list from three different sources, the “20 Most Popular Web Retailers” from Washington Post, merged with Alexa’s “Top Sites in Shopping” and “Top 50 Most Popular Online Shopping Websites” by My App Magazine.
From that data High-Tech Bridge compiled its own top 100 list. The company used its own ImmuniWeb SSL Certificate Monitor, which was recently adopted by the Online Trust Alliance, to conduct the test.
Comments