This past week I experienced something that I should really do more of. I took the family and went on vacation to a nice island away from the world. It was very relaxing. I managed put my feet up and enjoyed the view as my kids played on the sand. Mental health breaks are wonderful.
After a while I got up from my chair and brushed some sand from my leg. That managed to trigger a thought that I had to get replacement tops for some salt shakers for a relative.
I have never understood the fascination with random bric-a-brac like this but, I wasn’t going to turn down this request. I searched about and had a great deal of trouble trying to find these tops. Finally, I managed to locate them in a hotel shop of all places. Pleased with managing to locate them I decided to check their website to see if I could have simply ordered them online.
I fired up the laptop and navigated to the company’s web page. It looked as expected. Nice artwork with no shortage of over priced items. I saw the part that I had wanted and decided to read more on it. I clicked on the page and then it came back with a straight HTTP page. I paused as my brain switched out of vacation mode into “WHAT THE…?” mode.
Surely this was a mistake? I went through the web check out process as if I was going to purchase a product. At no point was HTTPS even part of the equation. I was flabbergasted. I checked the source for the webpage and the only point where HTTPS was even mentioned was in the links to Facebook and
Often the discussion revolves around data breaches and what could have been done better. It seems in cases like this that security wasn't even on the radar and this is a large part of the problem for the wider discussion. As we move into the Black Friday buying frenzy season it is important for retailers to be mindful of their security posture on their web properties. Shoppers need to be aware of their security as well when making a purchase online. Simple rationale being, if you're not sure, don't click. That natural response mechanism will help many folks online. Also, take a moment to ensure that the site you are shopping on has HTTPS enabled. A simple method is to copy and paste the URL into a note pad type of application. An example of this is, "http://www.somewebsite.foo/somecart/index.php?example=checkout" where the beginning of the website address reads as HTTP. It should read HTTPS.
To close out the story about the site with no security I did drop them an email to bring their attention to the misstep and they replied with, "Thank you for your note. I'm sure it is fine." Now if you will excuse me, I need to get a bucket and mop to clean my grey matter from the walls and ceiling.
(Image used under CC from subcircle)
