Amazon is moving to HTTPS everywhere in this June. The whole website is a complex machinery with multiple components and it takes time to move those components to HTTPS.
It is actually worse than that. Given an active attacker one can easily steal passwords using SSL stripping attacks. Ebay is also affected. Cookie stealing also works.
Pretty much every mixed http/https setup ("encrypt only the login") is broken.
No. SSL stripping is an attack where you prevent a user from upgrading to an HTTPS connection. That isn't possible here.
Many sites have multiple tiers of authentication. For example viewing items to purchase is over HTTP but to actually checkout or manage your account requires you to go to HTTPS and reauthenticate on an HTTPS login page. Always. After this you are kept on HTTPS for the trusted actions. Amazon only does shopping over http but trusted actions are all HTTPS.
This has been amazons authentication scheme for years and it is actually the same as googles (where Google does have http assets, they force a reauth before going to https only stuff).
The most an attacker could do is inject code on http pages, annoyingly add things to cart, purchase items with 1 click purchase (inject javascript that clicks the button) and eavesdrop on all items purchased (quite serious).
BUT they cannot perform SSL stripping if Amazon doesn't do any auth over HTTP. An attacker could do some phishing like attacks to try to convince the user to put their password in at the wrong time, though.
I wonder if the lack of HTTPS during normal browsing is a deliberate choice (one motivated by testing) or if it's only like that out of legacy (preservation of URLs). It's difficult to imagine all of the possible issues they may know about that we don't, given their scale.
The author mentions that removing the ref parameter would be a solution to one of the problems discussed in the article but I put forward that they could also just encrypt the value for transmission and store the information in plain on the backend. If they won't move to HTTPS then that should solve at least one of the issues.
I would imagine they ran the A/B tests on 99th percentile metrics and also on consumer behavior and decided that having the HTTPS enabled by default would result in less revenue/growth/etc
I'd imagine with the number of requests they make to various analytics, internal services etc it is not a super simple migration.
In an era where American ISPs charge extra to not spy on your non-encrypted traffic, it seems odd that Amazon doesn't care... improving the non-Amazon ads that you receive surely causes Amazon to lose money.
There's also some fascinating anti-showrooming technology out there which monitors when you look at things over the store's guest wifi network. Browsing products on Amazon still isn't encrypted (as the article identifies) and neither is "Add to Cart".
I had a scare regarding this a few days ago. I was searching for a Bose airline adapter on DuckDuckGo and clicked the top result without looking at the URL. [1] I ended up hitting some page on www.casselsonline.com that exactly mirrored Amazon's website right down to suggested items and everything. I didn't even notice I wasn't on amazon.ca until I went to sign in and found the certificate broken.
Couldn't find a place to report URLs on DDG, so I reported them to Google.
It helps to have something like HTTP Switchboard[1] installed on your browser, with per-domain rules. When I click the result, I get a white page since HTTPSB blocks the CSS/JS/cookies etc by default on domains that I haven't explicitly whitelisted.
With an HTTP connection, it becomes easy for an attacker in the middle to prompt the user to re-enter their password and have it re-transmitted in the clear.
[+] [-] yandie|11 years ago|reply
[+] [-] MichaelApproved|11 years ago|reply
[+] [-] throwaway5060|11 years ago|reply
[+] [-] theandrewbailey|11 years ago|reply
[+] [-] hannob|11 years ago|reply
Pretty much every mixed http/https setup ("encrypt only the login") is broken.
[+] [-] steakejjs|11 years ago|reply
Many sites have multiple tiers of authentication. For example viewing items to purchase is over HTTP but to actually checkout or manage your account requires you to go to HTTPS and reauthenticate on an HTTPS login page. Always. After this you are kept on HTTPS for the trusted actions. Amazon only does shopping over http but trusted actions are all HTTPS.
This has been amazons authentication scheme for years and it is actually the same as googles (where Google does have http assets, they force a reauth before going to https only stuff).
The most an attacker could do is inject code on http pages, annoyingly add things to cart, purchase items with 1 click purchase (inject javascript that clicks the button) and eavesdrop on all items purchased (quite serious).
BUT they cannot perform SSL stripping if Amazon doesn't do any auth over HTTP. An attacker could do some phishing like attacks to try to convince the user to put their password in at the wrong time, though.
[+] [-] coderdude|11 years ago|reply
The author mentions that removing the ref parameter would be a solution to one of the problems discussed in the article but I put forward that they could also just encrypt the value for transmission and store the information in plain on the backend. If they won't move to HTTPS then that should solve at least one of the issues.
[+] [-] diziet|11 years ago|reply
I'd imagine with the number of requests they make to various analytics, internal services etc it is not a super simple migration.
[+] [-] greglindahl|11 years ago|reply
[+] [-] fennecfoxen|11 years ago|reply
http://techcrunch.com/2013/12/03/retailnext-acquires-eric-sc...
[+] [-] miander|11 years ago|reply
[+] [-] liareye|11 years ago|reply
[+] [-] aareet|11 years ago|reply
Couldn't find a place to report URLs on DDG, so I reported them to Google.
[1] These bad results still show in the index - https://duckduckgo.com/?q=bose%20airline%20adapter%20canada+...
[+] [-] shaldengeki|11 years ago|reply
[1] https://chrome.google.com/webstore/detail/http-switchboard/m...
[+] [-] sarciszewski|11 years ago|reply
I'm surprised more attackers don't do this.