How efficiently do the Top-100 largest e-commerce websites protect customers' privacy?

Tools

December 3, 2013
 

After a number of media revelations about the interception of private and confidential data, many large organizations, including Google and Yahoo, have recognized the importance of and adopted Always-on SSL encryption to assure the protection of traffic between their web servers and clients' devices.

While an SSL certificate on an e-commerce website does not have any direct impact on web application security (for example it cannot prevent XSS or SQL injection attacks), it is a very important security measure to confirm website owner identity and assure encryption of data transferred between web application and user browser. High-Tech Bridge believes that e-commerce websites, whether large or small, handling sensitive customer data should use a HTTPS version of their website by default.

E-commerce is booming, and as the holiday season is underway, High-Tech Bridge has undertaken a small experiment to check how SSL certificates are implemented at the Top 100 largest e-commerce websites.

Competition in the domain of e-commerce is high and many websites increase or decrease their ratings almost every week, therefore to be objective and neutral, High-Tech Bridge compiled a Top-100 list from three different independent sources. We used "20 Most Popular Web Retailers" from Washington Post, merged it with Alexa's "Top Sites in Shopping" and "Top 50 Most Popular Online Shopping Websites" by My App Magazine. From this data, we created a Top-100 online retailer list of the most popular global online retail websites among online shoppers.

High-Tech Bridge used the ImmuniWeb SSL Certificate Monitor, which is part of ImmuniWeb® SaaS, to conduct the tests. The Monitor was recently adopted by the Online Trust Alliance to verify the SSL certificates and implementation of approximately 1,000 of the largest governmental, financial institutions and e-commerce websites for the OTA 2013 Honor Roll and Online Trust Audit - a prestigious award for online privacy, data protection and security. High-Tech Bridge has omitted complicated technical details of the research, and will focus on the most interesting findings.

Positive findings of the research:

  • 0/100 websites have expired or untrusted SSL certificates.
  • Only 1/100 of website certificates expire in less than one month.
  • 99/100 of websites have 2048-bit or even stronger encryption certificate.

Negative findings of the research:

  • 2/100 websites do not have SSL certificate at all, leaving their customers totally unprotected.
  • 7/100 websites are putting customer information at risk by failing to enforce the use of HTTPS for the most sensitive operations such as login, checkout and payment.
  • 73/100 websites do not have a secure HTTPS version at all for some "non-critical" online activities of their customers, such as shopping cart management for example.
  • An extremely low 2/100 websites protect users by automatically using a secure HTTPS version (SSL) by default.
  • Only 25/100 websites have SSL EV certificates.
  • 33/100 websites display non-SSL content together with SSL content on their pages.

Marsel Nizamutdinov, Chief Research Officer at High-Tech Bridge, comments on the findings: "Alarmingly, only 2% (two per cent) of leading global online retailers automatically ensure their customers use the secure HTTPS version of their website when making orders or adding goods to their shopping carts. Also, 7% of websites are failing to enforce their customers to use HTTPS for the most sensitive operations such as login, checkout and payment, while 27% of websites don't even have an HTTPS version for "non-critical" sections of their website, such as shopping cart management or search for goods."

"Unfortunately these websites seriously underestimate the importance of encrypting user-transmitted data beyond logins and passwords, and this is a very dangerous approach to privacy management. In many cases, if such "non-critical" data is stolen by third-parties, it may not just harm the buyer, but the online store as well. Always-on SSL is a very useful security practice, HTTPS versions of websites are supported by all modern web browsers today (including mobile device browsers), and I don't see any reason, why only two of the 100 largest web retailers deploy this option."

Executive Director and President of Online Trust Alliance (OTA) - Craig Spiezle
Executive Director and President of Online Trust Alliance - Craig Spiezle

Craig Spiezle, Executive Director and President of Online Trust Alliance (OTA), says: "All sites and mobile apps must recognize the importance of securing the data transmitted between users and their sites. Banking, social, government and e-commerce share this responsibility to implement these best practices to better protect consumers from harm. Always-on SSL and HTTPS are effective measures to enhance the security and privacy of users. Failure to adopt unnecessarily puts users in harm's way."

Ilia Kolochenko, High-Tech Bridge CEO, says: "The results of this research are unfortunately far from being positive. I strongly believe that all e-commerce platforms should strictly follow data-protection best-practices developed by the Online Trust Alliance. Otherwise they put at risk not only their own and their customers' security, but the reputation of the entire e-commerce industry".