Those of us that grew up in the Big Apple remember those obnoxious ads for 1-800-Mattress where the announcer told us to “leave off the last s for savings.” The company is still selling bedding and still preying on the general public for its lack of spelling prowess. (They actually purchased the 800 numbers with the misspelled names because so many customers dialed them, but that is a story for another time.)
My point today is about that ending ‘s’ but in another place that might have you losing sleep. I am reminded of their little ditty with an email from a reader who asks if there are many eCommerce sites that still don’t use secure Web pages (where they use https: instead of just plain http:) for their shopping carts.
Sadly, they do still exist. I ask you all if you come across examples, to email them to me and I will add them to my strominator.com blog post and publicly shun them. It is time we put a stop to this shoddy practice. Come on people, this is the new millennium, we have better things to worry about, and this is not new technology or hard to do. Why just this week I purchased an SSL certificate – what you need to turn your Web server from http into https — and it took all of about 10 minutes and less than $50. Godaddy makes it relatively easy to get one and get it setup, and if you don’t want to use theirs, there are dozens of others who will take even more of your money for one.
Even Google’s Gmail has gotten on board the https cluetrain: last week they turned on a very nice option that forces your browser to open a secure session when you are reading your Gmail account (go to Settings and scroll down to the “browser connection” choice and click the button to “always use https” and then click on save, it is that easy. If you use Gmail, go and do this now and you can thank me later.
Why is this important? Because someone can hijack your browser session and obtain personal information if you leave off the last ‘s’. This is especially the case when you are using a shared public computer, such as at an airport or library. But it can happen even if you are at work, if your work network has a wireless segment that anyone can see your traffic on just by sitting outside your building, or if someone brought an infected laptop into the office that is recording your sessions.
My correspondent wrote to the eCommerce vendor (in this case, it was the photo printing and sharing site Fotki.com) and asked why they did leave off the last ‘s.’ This is what he got in a reply:
Please don’t worry about missing padlock, we no longer use HTTPS on our payment page, because web browsers tend to send warning messages about web page security and some users get confused with that. All credit card transactions are going through the secure network and properly encrypted by means of Java Scripting.
Yeah, and some users are still misspelling “mattress” too and dialing the wrong numbers. Steer clear of these Web sites that are trying to make it easier for others to steal your personal information. And don’t leave off that last ‘s’ unless you plan on spending some sleepless nights when your identity is compromised.
Setting up a secure website is NOT as simple as getting a security certificate and installing it on one’s webserver. You need an IP address — and most people setting up their first store sites don’t know this or how to get one. And even if they do have one and can figure out how to install the certificate, they have to get their hosting provider to either install the secondary cert for them or tell them how to do it and then get the hosting provider to restart apache so the certificate goes into effect. Plus they have to build the secure pages carefully so they don’t unwittingly include insecure content and trigger warnings … Not so easy to accomplish for a newbie or people trying to start things up without much money. You forget that the vast majority of ecommerce sites are on shared hosting servers and NOT on their own webservers.
It’s easy to be smug about this, but it’s not very useful. What we recommend for newbies and people setting up new stores is that they use a secure gateway payment service such as PayPal or AuthorizeNet. That way they don’t ever have to worry about storing credit cards on their website or have to worry about installing and renewing certificates, and the financial liability is not theirs, but the gateway provider’s. You forgot about the liability protection part of a security cert, didn’t you — cheapo certificates provide very limited liability protection.
See this about Apple’s MobileMe for another example: http://db.tidbits.com/article/9745
Thanks for posting such kind of usefull information.Keep Posted in future as well.Thank you!