Privacy Matters: How Well Do Top e-Commerce Sites Protect You?

By Peter Bernstein December 06, 2013

The recent ongoing Snowden revelations about the interception of private and confidential data have already had an impact as e-commerce websites. In order to retain the trust of users, many large websites have adopted always-on SSL encryption to assure that traffic between their web servers and clients’ devices are secure.  Yahoo and Google have been quick to react and Microsoft is about to follow. After all, trustworthiness is emerging as a key differentiator in the market, and lack of trust is a sure recipe for commercial disaster.

As the good folks at Geneva-Switzerland-based High-Tech Bridge point out, while an SSL certificate on an e-commerce website does not have any direct impact on web application security, it is a very important security measure to confirm website owner identity and assure that data in motion between a transactional web application on a company server and end user device web browsers is secure.  This is not an insubstantial bit of peace of mind given what continues to be unveiled about sophisticated techniques used by supposed friends as well as foes to learn as much as they can about us.

In fact, based on its own tracking of website practices and vulnerabilities that can be exploited by prying eyes of all types, High-Tech Bridge believes that e-commerce websites of all sizes that handle sensitive customer data should use a HTTPS version of their website by default.

Happy holiday shopping?

With the holiday season upon us, High Bridge researchers though it might interesting to see how the top e-commerce sites do in regards to the use of encrypted versions of their sites. There is some good news but unfortunately sobering bad news to report.

After developing a list of the top 100 global online retail sites, High-Tech Bridge used its ImmuniWeb SSL Certificate Monitor, which is part of ImmuniWeb® SaaS, to conduct some tests. 

Note:  Just as a bit of background, the Monitor was recently adopted by the Online Trust Alliance to verify the SSL certificates and implementation of approximately 1,000 of the largest governmental, financial institutions and e-commerce websites for the OTA 2013 Honor Roll and Online Trust Audit.

 Below are a few of the key results of the tests.

Positive findings:

  • 0/100 websites have expired or untrusted SSL certificates.
  • Only 1/100 of website certificates expire in less than one month.
  • 99/100 of websites have 2048-bit or even stronger encryption certificate.

Negative findings:

  • 2/100 websites do not have SSL certificate at all, leaving their customers totally unprotected.
  • 7/100 websites are putting customer information at risk by failing to enforce the use of HTTPS for the most sensitive operations such as login, checkout and payment.
  • 73/100 websites do not have a secure HTTPS version at all for some "non-critical" online activities of their customers, such as shopping cart management for example.
  • An extremely low 2/100 websites protect users by automatically using a secure HTTPS version (SSL) by default.
  • Only 25/100 websites have SSL EV certificates.
  • 33/100 websites display non-SSL content together with SSL content on their pages.

The negative certainly out-weigh the positives.

Marsel Nizamutdinov, Chief Research Officer at High-Tech Bridge, in comments about the research stated that, “Alarmingly, only 2 percent of leading global online retailers automatically ensure their customers use the secure HTTPS version of their website when making orders or adding goods to their shopping carts. Also, 7 percent of websites are failing to enforce their customers to use HTTPS for the most sensitive operations such as login, checkout and payment, while 27 percent of websites don’t even have an HTTPS version for “non-critical” sections of their website, such as shopping cart management or search for goods.”

He added that, “Unfortunately these websites seriously underestimate the importance of encrypting user-transmitted data beyond logins and passwords…Always-on SSL is a very useful security practice, HTTPS versions of websites are supported by all modern web browsers today (including mobile device browsers), and I don’t see any reason, why only two of the 100 largest web retailers deploy this option.”

Ilia Kolochenko, High-Tech Bridge CEO, was equally as pointed in his assessment saying, “I strongly believe that all e-commerce platforms should strictly follow data-protection best-practices developed by the Online Trust Alliance. Otherwise they put at risk not only their own and their customers’ security, but the reputation of the entire e-commerce industry”.

As someone who does a fair share of shopping online, possibly out of paranoia from having my identity stolen more than once as a result of activities I was relatively sure resulted from interactions with websites that did not use HTTPS as their front line of protection, I will not do business with online entities that take me to what I consider unsecure transactional places on their sites. While this can limit my shopping options, the peace of mind is well worth abstaining. It obviously is not a failsafe approach given  the ingenuity of hackers, and the multiple ways they have figured out cause havoc for me and the vendors I would like to do business with. However, it is not unlike when I leave my house and turn on the alarm system and lock the door. At least I have made it harder for the bad guys and one would hope that that is what is top of mind for retailers as well although High-Tech Bridges’ work certainly shows there is a lot of room for improvement.    




Edited by Cassandra Tucker
SHARE THIS ARTICLE
Related Articles

Nevada: Silver State to Tech Center

By: Doug Mohney    4/24/2015

Silver was the primary mineral mined in Nevada when it was admitted to the union in 1864, earning it the slogan of "The Silver State." Times changed, …

Read More

Comcast, Telecoms Need to Clean Up Their Own Houses

By: Doug Mohney    4/24/2015

Big telecom mergers just don't fly these days, but it took Comcast 14 months and at least $237 million spent in 2014 to figure it out it couldn't buy …

Read More

Creating a Smarter Network Infrastructure for the Connected World

By: TMCnet Special Guest    4/24/2015

The need to be connected to the 'smarter world' is ever increasing with the rise in the number of mobile devices. LTE is now a global reality for mill…

Read More

Major League Baseball's Sports Analytics Deliver Next-Gen Stats

By: Bob Wallace    4/24/2015

Get your next-gen stats here! Major League Baseball Advanced Media (MBLAM) this week launched "next-generation" stats league-wide that it hopes will c…

Read More

My Neighbor and Your Enterprise Data Privacy: They're Not as Unrelated as You Think

By: TMCnet Special Guest    4/23/2015

If you give your house key to your neighbor, he has the opportunity to snoop around through your vinyl album collection. That has lessons for enterpri…

Read More