Monday 1 February 2016

Come on Amazon, its time for 100% TLS (aka https)

On a thread about moving a site to 100% TLS (ie. SSL), which btw, is the right thing to do in 2016 if one wants to protect users from Man-in-the-middle attacks, I was asked this question:
I notice Amazon is not secure until you authenticate, then all pages become secure. This is an interesting approach. What do you think Dinis?
This really sucks!

Lots of eCommerce companies look at Amazon as the benchmark on what to do (and what risks to accept), so the fact that they don't support 100% TLS (as can see by googling amazon) is not helpful at all.

Here was my reply:
Well shame on Amazon for not also not doing 100% SSL 
That said, amazon has an amazing application security team (with https://firebounty.com/bug-bounty-program/16/amazon) and they have quite a lot of visibility into what is going on in their platform (namely on fraud and account hijack/abuses) 
Also, Amazon is getting there, for example note how if you start your amazon journey on https:// (in most cases) you still stay in SSL if you do some actions and go to checkout
Yes there are users that don't support TLS and in some cases there are a couple performance tweaks that will need to be done. But we shouldn't be downgrading the security of 99% of users due to a couple user's locations or browsers.

The ones to follow on this topic are ETSY (see https://codeascraft.com/2012/10/09/scaling-user-security) who did this change in Oct 2012