I notice Amazon is not secure until you authenticate, then all pages become secure. This is an interesting approach. What do you think Dinis?This really sucks!
Lots of eCommerce companies look at Amazon as the benchmark on what to do (and what risks to accept), so the fact that they don't support 100% TLS (as can see by googling amazon) is not helpful at all.
Here was my reply:
Well shame on Amazon for not also not doing 100% SSL
That said, amazon has an amazing application security team (with https://firebounty.com/bug-bounty-program/16/amazon) and they have quite a lot of visibility into what is going on in their platform (namely on fraud and account hijack/abuses)
Also, Amazon is getting there, for example note how if you start your amazon journey on https:// (in most cases) you still stay in SSL if you do some actions and go to checkoutYes there are users that don't support TLS and in some cases there are a couple performance tweaks that will need to be done. But we shouldn't be downgrading the security of 99% of users due to a couple user's locations or browsers.
The ones to follow on this topic are ETSY (see https://codeascraft.com/2012/10/09/scaling-user-security) who did this change in Oct 2012
