Privacy Matters: How Well Do Top e-Commerce Sites Protect You?

The recent ongoing Snowden revelations about the interception of private and confidential data have already had an impact as e-commerce websites. In order to retain the trust of users, many large websites have adopted always-on SSL encryption to assure that traffic between their web servers and clients’ devices are secure.  Yahoo and Google have been quick to react and Microsoft (News - Alert) is about to follow. After all, trustworthiness is emerging as a key differentiator in the market, and lack of trust is a sure recipe for commercial disaster.

As the good folks at Geneva-Switzerland-based High-Tech Bridge point out, while an SSL certificate on an e-commerce website does not have any direct impact on web application security, it is a very important security measure to confirm website owner identity and assure that data in motion between a transactional web application on a company server and end user device web browsers is secure.  This is not an insubstantial bit of peace of mind given what continues to be unveiled about sophisticated techniques used by supposed friends as well as foes to learn as much as they can about us.

In fact, based on its own tracking of website practices and vulnerabilities that can be exploited by prying eyes of all types, High-Tech Bridge believes that e-commerce websites of all sizes that handle sensitive customer data should use a HTTPS version of their website by default.

Happy holiday shopping?

With the holiday season upon us, High Bridge researchers though it might interesting to see how the top e-commerce sites do in regards to the use of encrypted versions of their sites. There is some good news but unfortunately sobering bad news to report.

After developing a list of the top 100 global online retail sites, High-Tech Bridge used its ImmuniWeb SSL Certificate Monitor, which is part of ImmuniWeb® SaaS (News - Alert), to conduct some tests. 

Note:  Just as a bit of background, the Monitor was recently adopted by the Online Trust Alliance to verify the SSL certificates and implementation of approximately 1,000 of the largest governmental, financial institutions and e-commerce websites for the OTA 2013 Honor Roll and Online Trust Audit.

 Below are a few of the key results of the tests.

Positive findings:

• 0/100 websites have expired or untrusted SSL certificates.
• Only 1/100 of website certificates expire in less than one month.
• 99/100 of websites have 2048-bit or even stronger encryption certificate.

Negative findings:

• 2/100 websites do not have SSL certificate at all, leaving their customers totally unprotected.
• 7/100 websites are putting customer information at risk by failing to enforce the use of HTTPS for the most sensitive operations such as login, checkout and payment.
• 73/100 websites do not have a secure HTTPS version at all for some "non-critical" online activities of their customers, such as shopping cart management for example.
• An extremely low 2/100 websites protect users by automatically using a secure HTTPS version (SSL) by default.
• Only 25/100 websites have SSL EV certificates.
• 33/100 websites display non-SSL content together with SSL content on their pages.

The negative certainly out-weigh the positives.

Marsel Nizamutdinov, Chief Research Officer at High-Tech Bridge, in comments about the research stated that, “Alarmingly, only 2 percent of leading global online retailers automatically ensure their customers use the secure HTTPS version of their website when making orders or adding goods to their shopping carts. Also, 7 percent of websites are failing to enforce their customers to use HTTPS for the most sensitive operations such as login, checkout and payment, while 27 percent of websites don’t even have an HTTPS version for “non-critical” sections of their website, such as shopping cart management or search for goods.”

He added that, “Unfortunately these websites seriously underestimate the importance of encrypting user-transmitted data beyond logins and passwords…Always-on SSL is a very useful security practice, HTTPS versions of websites are supported by all modern web browsers today (including mobile device browsers), and I don’t see any reason, why only two of the 100 largest web retailers deploy this option.”

Ilia Kolochenko, High-Tech Bridge CEO, was equally as pointed in his assessment saying, “I strongly believe that all e-commerce platforms should strictly follow data-protection best-practices developed by the Online Trust Alliance. Otherwise they put at risk not only their own and their customers’ security, but the reputation of the entire e-commerce industry”.

As someone who does a fair share of shopping online, possibly out of paranoia from having my identity stolen more than once as a result of activities I was relatively sure resulted from interactions with websites that did not use HTTPS as their front line of protection, I will not do business with online entities that take me to what I consider unsecure transactional places on their sites. While this can limit my shopping options, the peace of mind is well worth abstaining. It obviously is not a failsafe approach given  the ingenuity of hackers, and the multiple ways they have figured out cause havoc for me and the vendors I would like to do business with. However, it is not unlike when I leave my house and turn on the alarm system and lock the door. At least I have made it harder for the bad guys and one would hope that that is what is top of mind for retailers as well although High-Tech Bridges’ work certainly shows there is a lot of room for improvement.