EBay messages, account dashboard lacks HTTPS, but it's not alone
By Paul Bischoff
At Comparitech, we recently published an article alerting EBay customers to the lack of SSL encryption on its seller-to-buyer messaging system and My EBay dashboard. Because information travelling to and from these pages is not HTTPS encrypted, customers' personal information and messages are vulnerable to hackers and other third parties.
We singled out EBay because one of the world's largest ecommerce companies has no excuse for not implementing HTTPS. EBay argues that critical pages containing payment details and updating private information are HTTPS encrypted, and other pages utilize technologies to detect and prevent account misuse. But the plain truth is that any page which either requires user input (Messages) or serves information from a user database (My EBay dashboard) needs to be HTTPS encrypted.
We urge EBay to implement site-wide HTTPS as soon as possible, but EBay is far from the only offender.
Half of internet traffic volume still unencrypted
The internet recently passed a significant milestone. The majority of internet traffic is now encrypted (https://www.wired.com/2017/01/half-web-now-encrypted-makes-everyone-safer/), according to Mozilla. Note that doesn't mean half of all websites and apps use HTTPS, but it does show that the use of HTTPS is growing especially among the most popular apps and websites.
That still leaves 49 percent of traffic unencrypted, though. The problem with unencrypted websites is that hackers can intercept traffic travelling to or from them. Once that information is captured, it exists in plain text and can be read by the hacker. This includes whatever personal details appear on the web page.
Worse yet, web pages that require form input, such as the buyer-to-seller messaging pages on EBay, can be targeted with a man-in-the-middle attack. In this hack, the information is not just captured by a hacker, but modified. In a worst-case scenario, this can result in fraud, abuse, and spam on the user's account.
Governments and corporations pushing for HTTPS
Governments and internet giants alike, including Google and the European Union, are putting more pressure on websites that store data on users to make the switch to HTTPS. 54 of the top 100 sites now support the safer protocol versus only 39 one year ago. With barely half of top sites compliant, we still have a long way to go.
Google says it will start favoring HTTPS websites in its search rankings.
Meanwhile, new data protection laws like the upcoming GDPR emphasize "privacy by design", which requires online businesses make their products and services as private and secure as possible by default. While the GDPR has not been fully fleshed out and won't go into effect until 2018, experts believe encryption of private data in transit could be a minimum technical requirement of the new law.
Lowering the barrier to HTTPS
Converting to HTTPS can have drawbacks. Every site needs to acquire a certificate to prove to web browsers that the party on the other end of the encrypted connection is who it says it is. These certificates can be costly.
Secondly, there's a marked decrease in advertising revenue that coincides with implementing HTTPS.
In EBay's case, however, paying for an SSL certificate is a drop in the bucket. The pages in question do contain advertisements, but they do not appear to be from any third parties and are instead internal advertisements and shopping recommendations from EBay.
For smaller sites, display ads as a primary source of revenue is a dying business model, in any case. SSL certificates have become significantly more attainable due to cheap and easy certificate authorities like Let's Encrypt and Certbot.
Keep yourself secured
A fully encrypted web is still a long ways off, so until then, consumers need to know how to protect themselves online. A good place to start is by installing the HTTPS Everywhere extension on your web browser.
HTTPS Everywhere was created by the Electronic Frontier Foundation (EFF) and is available free of charge. Its simple function is to check if there is an HTTPS version of each web page and, if so, load it. Many websites offer two version of their web page and load the un-encrypted version by default, so HTTPS Everywhere overrides this.
But many web pages, like those on EBay, don't have an HTTPS version at all. In this case, we recommend users employ a VPN. Short for virtual private network, VPNs encrypt all of a device's internet traffic and route it through a remote server in a location of the user's choosing. This prevents hackers and other entities from deciphering any internet traffic they happen to intercept. VPNs have the added value of masking your IP address as well, so that websites only see the shared IP address of your VPN server and cannot identify you or your location by your real IP address.