Privacy Matters: How Well Do Top e-Commerce Sites Protect You?

By Peter Bernstein December 06, 2013

The recent ongoing Snowden revelations about the interception of private and confidential data have already had an impact as e-commerce websites. In order to retain the trust of users, many large websites have adopted always-on SSL encryption to assure that traffic between their web servers and clients’ devices are secure.  Yahoo and Google have been quick to react and Microsoft is about to follow. After all, trustworthiness is emerging as a key differentiator in the market, and lack of trust is a sure recipe for commercial disaster.

As the good folks at Geneva-Switzerland-based High-Tech Bridge point out, while an SSL certificate on an e-commerce website does not have any direct impact on web application security, it is a very important security measure to confirm website owner identity and assure that data in motion between a transactional web application on a company server and end user device web browsers is secure.  This is not an insubstantial bit of peace of mind given what continues to be unveiled about sophisticated techniques used by supposed friends as well as foes to learn as much as they can about us.

In fact, based on its own tracking of website practices and vulnerabilities that can be exploited by prying eyes of all types, High-Tech Bridge believes that e-commerce websites of all sizes that handle sensitive customer data should use a HTTPS version of their website by default.

Happy holiday shopping?

With the holiday season upon us, High Bridge researchers though it might interesting to see how the top e-commerce sites do in regards to the use of encrypted versions of their sites. There is some good news but unfortunately sobering bad news to report.

After developing a list of the top 100 global online retail sites, High-Tech Bridge used its ImmuniWeb SSL Certificate Monitor, which is part of ImmuniWeb® SaaS, to conduct some tests. 

Note:  Just as a bit of background, the Monitor was recently adopted by the Online Trust Alliance to verify the SSL certificates and implementation of approximately 1,000 of the largest governmental, financial institutions and e-commerce websites for the OTA 2013 Honor Roll and Online Trust Audit.

 Below are a few of the key results of the tests.

Positive findings:

  • 0/100 websites have expired or untrusted SSL certificates.
  • Only 1/100 of website certificates expire in less than one month.
  • 99/100 of websites have 2048-bit or even stronger encryption certificate.

Negative findings:

  • 2/100 websites do not have SSL certificate at all, leaving their customers totally unprotected.
  • 7/100 websites are putting customer information at risk by failing to enforce the use of HTTPS for the most sensitive operations such as login, checkout and payment.
  • 73/100 websites do not have a secure HTTPS version at all for some "non-critical" online activities of their customers, such as shopping cart management for example.
  • An extremely low 2/100 websites protect users by automatically using a secure HTTPS version (SSL) by default.
  • Only 25/100 websites have SSL EV certificates.
  • 33/100 websites display non-SSL content together with SSL content on their pages.

The negative certainly out-weigh the positives.

Marsel Nizamutdinov, Chief Research Officer at High-Tech Bridge, in comments about the research stated that, “Alarmingly, only 2 percent of leading global online retailers automatically ensure their customers use the secure HTTPS version of their website when making orders or adding goods to their shopping carts. Also, 7 percent of websites are failing to enforce their customers to use HTTPS for the most sensitive operations such as login, checkout and payment, while 27 percent of websites don’t even have an HTTPS version for “non-critical” sections of their website, such as shopping cart management or search for goods.”

He added that, “Unfortunately these websites seriously underestimate the importance of encrypting user-transmitted data beyond logins and passwords…Always-on SSL is a very useful security practice, HTTPS versions of websites are supported by all modern web browsers today (including mobile device browsers), and I don’t see any reason, why only two of the 100 largest web retailers deploy this option.”

Ilia Kolochenko, High-Tech Bridge CEO, was equally as pointed in his assessment saying, “I strongly believe that all e-commerce platforms should strictly follow data-protection best-practices developed by the Online Trust Alliance. Otherwise they put at risk not only their own and their customers’ security, but the reputation of the entire e-commerce industry”.

As someone who does a fair share of shopping online, possibly out of paranoia from having my identity stolen more than once as a result of activities I was relatively sure resulted from interactions with websites that did not use HTTPS as their front line of protection, I will not do business with online entities that take me to what I consider unsecure transactional places on their sites. While this can limit my shopping options, the peace of mind is well worth abstaining. It obviously is not a failsafe approach given  the ingenuity of hackers, and the multiple ways they have figured out cause havoc for me and the vendors I would like to do business with. However, it is not unlike when I leave my house and turn on the alarm system and lock the door. At least I have made it harder for the bad guys and one would hope that that is what is top of mind for retailers as well although High-Tech Bridges’ work certainly shows there is a lot of room for improvement.    




Edited by Cassandra Tucker
SHARE THIS ARTICLE
Related Articles

Modern Moms Shaping Influence

By: Maurice Nagle    7/19/2018

Everyone knows Mom knows best. The internet is enabling a new era in sharing, and sparking a more enlightened, communal shopping experience. Mommy blo…

Read More

Why People Don't Update Their Computers

By: Special Guest    7/13/2018

When the WannaCry ransomware attacked companies all over the world in 2017, experts soon realized it was meant to be stopped by regular updating. Even…

Read More

More Intelligence About The New Intelligence

By: Rich Tehrani    7/9/2018

TMC recently announced the launch of three new artificial intelligence events under the banner of The New Intelligence. I recently spoke with TMC's Ex…

Read More

Technology, Innovation, and Compliance: How Businesses Approach the Digital Age

By: Special Guest    6/29/2018

Organizations must align internally to achieve effective innovation. Companies should consider creating cross-functional teams or, at a minimum, incre…

Read More

Contribute Your Brain Power to The New Intelligence

By: Paula Bernier    6/28/2018

The three events that are part of The New Intelligence are all about how businesses and service providers, and their customers, can benefit from artif…

Read More