Privacy Matters: How Well Do Top e-Commerce Sites Protect You?

By Peter Bernstein December 06, 2013

The recent ongoing Snowden revelations about the interception of private and confidential data have already had an impact as e-commerce websites. In order to retain the trust of users, many large websites have adopted always-on SSL encryption to assure that traffic between their web servers and clients’ devices are secure.  Yahoo and Google have been quick to react and Microsoft is about to follow. After all, trustworthiness is emerging as a key differentiator in the market, and lack of trust is a sure recipe for commercial disaster.

As the good folks at Geneva-Switzerland-based High-Tech Bridge point out, while an SSL certificate on an e-commerce website does not have any direct impact on web application security, it is a very important security measure to confirm website owner identity and assure that data in motion between a transactional web application on a company server and end user device web browsers is secure.  This is not an insubstantial bit of peace of mind given what continues to be unveiled about sophisticated techniques used by supposed friends as well as foes to learn as much as they can about us.

In fact, based on its own tracking of website practices and vulnerabilities that can be exploited by prying eyes of all types, High-Tech Bridge believes that e-commerce websites of all sizes that handle sensitive customer data should use a HTTPS version of their website by default.

Happy holiday shopping?

With the holiday season upon us, High Bridge researchers though it might interesting to see how the top e-commerce sites do in regards to the use of encrypted versions of their sites. There is some good news but unfortunately sobering bad news to report.

After developing a list of the top 100 global online retail sites, High-Tech Bridge used its ImmuniWeb SSL Certificate Monitor, which is part of ImmuniWeb® SaaS, to conduct some tests. 

Note:  Just as a bit of background, the Monitor was recently adopted by the Online Trust Alliance to verify the SSL certificates and implementation of approximately 1,000 of the largest governmental, financial institutions and e-commerce websites for the OTA 2013 Honor Roll and Online Trust Audit.

 Below are a few of the key results of the tests.

Positive findings:

  • 0/100 websites have expired or untrusted SSL certificates.
  • Only 1/100 of website certificates expire in less than one month.
  • 99/100 of websites have 2048-bit or even stronger encryption certificate.

Negative findings:

  • 2/100 websites do not have SSL certificate at all, leaving their customers totally unprotected.
  • 7/100 websites are putting customer information at risk by failing to enforce the use of HTTPS for the most sensitive operations such as login, checkout and payment.
  • 73/100 websites do not have a secure HTTPS version at all for some "non-critical" online activities of their customers, such as shopping cart management for example.
  • An extremely low 2/100 websites protect users by automatically using a secure HTTPS version (SSL) by default.
  • Only 25/100 websites have SSL EV certificates.
  • 33/100 websites display non-SSL content together with SSL content on their pages.

The negative certainly out-weigh the positives.

Marsel Nizamutdinov, Chief Research Officer at High-Tech Bridge, in comments about the research stated that, “Alarmingly, only 2 percent of leading global online retailers automatically ensure their customers use the secure HTTPS version of their website when making orders or adding goods to their shopping carts. Also, 7 percent of websites are failing to enforce their customers to use HTTPS for the most sensitive operations such as login, checkout and payment, while 27 percent of websites don’t even have an HTTPS version for “non-critical” sections of their website, such as shopping cart management or search for goods.”

He added that, “Unfortunately these websites seriously underestimate the importance of encrypting user-transmitted data beyond logins and passwords…Always-on SSL is a very useful security practice, HTTPS versions of websites are supported by all modern web browsers today (including mobile device browsers), and I don’t see any reason, why only two of the 100 largest web retailers deploy this option.”

Ilia Kolochenko, High-Tech Bridge CEO, was equally as pointed in his assessment saying, “I strongly believe that all e-commerce platforms should strictly follow data-protection best-practices developed by the Online Trust Alliance. Otherwise they put at risk not only their own and their customers’ security, but the reputation of the entire e-commerce industry”.

As someone who does a fair share of shopping online, possibly out of paranoia from having my identity stolen more than once as a result of activities I was relatively sure resulted from interactions with websites that did not use HTTPS as their front line of protection, I will not do business with online entities that take me to what I consider unsecure transactional places on their sites. While this can limit my shopping options, the peace of mind is well worth abstaining. It obviously is not a failsafe approach given  the ingenuity of hackers, and the multiple ways they have figured out cause havoc for me and the vendors I would like to do business with. However, it is not unlike when I leave my house and turn on the alarm system and lock the door. At least I have made it harder for the bad guys and one would hope that that is what is top of mind for retailers as well although High-Tech Bridges’ work certainly shows there is a lot of room for improvement.    




Edited by Cassandra Tucker
SHARE THIS ARTICLE
Related Articles

Congress Passes Consumer Privacy Rollback

By: Paula Bernier    3/29/2017

Yesterday, the House of Representatives voted 215-205 to eliminate privacy rules aimed at protecting the browsing histories and data of U.S. broadband…

Read More

How Enhanced Connectivity Benefits Analytics and Big Data

By: Lindsey Patterson    3/29/2017

Potential benefits of data analysis include enhanced marketing potential, the ability to improve overall efficiency as well as the means to track and …

Read More

Think IT Can Handle Security On Its Own? Think Again

By: Special Guest    3/28/2017

One of the major fears of any IT department is losing control - of projects, of users, of applications. Yet, even with the best technology solutions, …

Read More

Optane: Intel Builds a Supercharger for PCs

By: Rob Enderle    3/28/2017

Optane is Intel's brand name for 3D XPoint memory, a brand-new memory architecture which has speed a bit slower than DRAM but otherwise performs like …

Read More

IBM's Cloud/Data/AI Trinity Vision

By: Doug Mohney    3/27/2017

If you want to know what the future of IT looks like, it's always good to look to IBM. The company pioneered and championed PCs, the Internet, open so…

Read More