Share


Share

Share it !



share/bookmark

Leave Off the Last 'S' For (In)security


Those of us that grew up in the Big Apple remember those obnoxious ads for 1-800-Mattress where the announcer told us to "leave off the last s for savings." The company is still selling bedding and still preying on the general public for its lack of spelling prowess. (They actually purchased the 800 numbers with the misspelled names because so many customers dialed them, but that is a story for another time.)

My point today is about that ending 's' but in another place that might have you losing sleep. I am reminded of their little ditty with an email from a reader who asks if there are many eCommerce sites that still don't use secure Web pages (where they use https: instead of just plain http:) for their shopping carts.

Sadly, they do still exist. I ask you all if you come across examples, to email them to me and I will add them to my strominator.com blog post and publicly shun them. It is time we put a stop to this shoddy practice. Come on people, this is the new millennium, we have better things to worry about, and this is not new technology or hard to do. Why just this week I purchased an SSL certificate - what you need to turn your Web server from http into https -- and it took all of about 10 minutes and less than $50. Godaddy makes it relatively easy to get one and get it setup, and if you don't want to use theirs, there are dozens of others who will take even more of your money for one.

Even Google's Gmail has gotten on board the https cluetrain: last week they turned on a very nice option that forces your browser to open a secure session when you are reading your Gmail account (go to Settings and scroll down to the "browser connection" choice and click the button to "always use https" and then click on save, it is that easy. If you use Gmail, go and do this now and you can thank me later.

Why is this important? Because someone can hijack your browser session and obtain personal information if you leave off the last 's'. This is especially the case when you are using a shared public computer, such as at an airport or library. But it can happen even if you are at work, if your work network has a wireless segment that anyone can see your traffic on just by sitting outside your building, or if someone brought an infected laptop into the office that is recording your sessions.

My correspondent wrote to the eCommerce vendor (in this case, it was the photo printing and sharing site Fotki.com) and asked why they did leave off the last 's.' This is what he got in a reply:

"Please don't worry about missing padlock, we no longer use HTTPS on our payment page, because web browsers tend to send warning messages about web page security and some users get confused with that. All credit card transactions are going through the secure network and properly encrypted by means of Java Scripting."

Yeah, and some users are still misspelling "mattress" too and dialing the wrong numbers. Steer clear of these Web sites that are trying to make it easier for others to steal your personal information. And don't leave off that last 's' unless you plan on spending some sleepless nights when your identity is compromised.




David Strom is a noted speaker, author, podcaster and consultant who has written two books and thousands of magazine articles for dozens of IT publications such as Computerworld, eWeek, Baseline Magazine, Information Week and Information Security magazine. His blog can be found at http://strominator.com, and he can be reached at david@strom.com