04 December 2013
As the “Cyber December” holiday buying season gets underway, new research shows that only two of the top 100 e-commerce websites automatically protect users by directing them to highly secure HTTPS versions that use always-on SSL.
The research into how SSL certificates are implemented, from High-Tech Bridge, also shows that only 27% of websites have a secure HTTPS version for all customer-facing pages, leaving critical details such as passwords and billing information openly available to identity thieves.
While an SSL certificate on an e-commerce website does not have any direct impact on web application security, it confirms website identity and assures te encryption of data transferred between web application and user browser.
“All sites and mobile apps must recognize the importance of securing the data transmitted between users and their sites,” said Craig Spiezle, executive director and president of Online Trust Alliance (OTA), in a statement. “Banking, social, government and e-commerce share this responsibility to implement these best practices to better protect consumers from harm. Always on SSL and HTTPs are effective measures to enhance the security and privacy of users. Failure to adopt unnecessarily puts users in harm’s way.”
To carry out the research, High-Tech Bridge compiled a Top 100 list from three different independent sources: the 20 Most Popular Web Retailers from the Washington Post, Alexa’s Top Sites in Shopping and Top 50 Most Popular Online Shopping Websites by My App Magazine. Using its ImmuniWeb SSL Certificate Monitor, High-Tech Bridge found a number of positive and negative findings.
In the good news column, none of the websites have expired or untrusted SSL certificates; and only one of the websites had certificates set expire in less than one month. Also, 99 out of 100 of websites have 2048-bit or stronger encryption certificates in place.
However, in addition to only two of them actually protecting users by automatically using a secure HTTPS version (SSL) by default, only a quarter of websites have SSL extended validation (EV) certificates. And two of the websites do not have an SSL certificate at all, leaving their customers totally unprotected.
Seven websites are putting customer information at risk by failing to enforce the use of HTTPS for the most sensitive operations such as login, checkout and payment. And a third (33%) of websites display non-SSL content together with SSL content on their pages.
A majority (73%) of websites do not have a secure HTTPS version at all for some "non-critical" online activities of their customers, such as shopping cart management, for example.
“Alarmingly, only 2% of leading global online retailers automatically ensure their customers use the secure HTTPS version of their website when making orders or adding goods to their shopping carts,” said Marsel Nizamutdinov, chief research officer at High-Tech Bridge. “Unfortunately these websites seriously underestimate the importance of encrypting user-transmitted data beyond logins and passwords, and this is a very dangerous approach to privacy management. In many cases, if such ‘non-critical’ data is stolen by third-parties, it may not just harm the buyer, but the online store as well.”