04 December 2013
As the “Cyber December” holiday buying season gets underway, new research shows that only two of the top 100 e-commerce websites automatically protect users by directing them to highly secure HTTPS versions that use always-on SSL.
The research into how SSL certificates are implemented, from
High-Tech Bridge, also shows that only 27% of websites have a secure HTTPS
version for all customer-facing pages, leaving critical details such as
passwords and billing information openly available to identity thieves.
While an SSL certificate on an
e-commerce website does not have any direct impact on web application security,
it confirms website identity and assures te encryption of data transferred
between web application and user browser.
“All sites and mobile apps must
recognize the importance of securing the data transmitted between users and
their sites,” said Craig Spiezle, executive director and president of Online
Trust Alliance (OTA), in a statement. “Banking, social, government and
e-commerce share this responsibility to implement these best practices to better
protect consumers from harm. Always on SSL and HTTPs are effective measures to
enhance the security and privacy of users. Failure to adopt unnecessarily puts
users in harm’s way.”
To carry out the research,
High-Tech Bridge compiled a Top 100 list from three different independent
sources: the 20 Most Popular Web Retailers from the Washington Post,
Alexa’s Top Sites in Shopping and Top 50 Most Popular Online Shopping Websites
by My App Magazine. Using its ImmuniWeb SSL Certificate Monitor,
High-Tech Bridge found a number of positive and negative
findings.
In the good news column, none of
the websites have expired or untrusted SSL certificates; and only one of the
websites had certificates set expire in less than one month. Also, 99 out of
100 of websites have 2048-bit or stronger encryption certificates in place.
However, in addition to only two
of them actually protecting users by automatically using a secure HTTPS version
(SSL) by default, only a quarter of websites have SSL extended validation (EV)
certificates. And two of the websites do not have an SSL certificate at all,
leaving their customers totally unprotected.
Seven websites are putting
customer information at risk by failing to enforce the use of HTTPS for the most
sensitive operations such as login, checkout and payment. And a third (33%) of
websites display non-SSL content together with SSL content on their
pages.
A majority (73%) of websites do
not have a secure HTTPS version at all for some "non-critical" online activities
of their customers, such as shopping cart management, for
example.
“Alarmingly, only 2% of leading
global online retailers automatically ensure their customers use the secure
HTTPS version of their website when making orders or adding goods to their
shopping carts,” said Marsel Nizamutdinov, chief research officer at High-Tech
Bridge. “Unfortunately these websites seriously underestimate the importance of
encrypting user-transmitted data beyond logins and passwords, and this is a very
dangerous approach to privacy management. In many cases, if such ‘non-critical’
data is stolen by third-parties, it may not just harm the buyer, but the online
store as well.”
No comments:
Post a Comment