Jump to content

Cre8asiteforums

Discussing Web Design & Marketing Since 1998
Closing May 25. Investment Opportunity.

Sign in to follow this  
EGOL

I Don't See Https At Target Homedepot Kmart And Other Important Domains

Recommended Posts

I go to the address box of my browser and type in the domain of sites I would expect to be security savvy like symantec.com and google.com and trendmicro.com and they arrive with visible https and secure locks.

 

However, when I go to the address box and type in target.com or homedepot.com or kmart.com.... these sites don't arrive with https.

 

When I try to produce https by typing in https://www.kmart.comI don't see it.

 

Am I doing something wrong? I would have thought that these companies - especially target (after being spanked over security problems) would be leading the way for delivering a secure retail environment.

Share this post


Link to post
Share on other sites

The important point is not whether the sites are HTTPS but that once they ask for personal info that the connection is secure. I'm on the road on mobile so will leave to you to check.

 

I do note that homedepotdotca looks to be entirely HTTPS.

 

It may be that the migration is in process for dotcom - that is likely a challenge. Or they recognise that it really isn't necessary for info pages and know they are too big for Google to threaten

  • Like 1

Share this post


Link to post
Share on other sites

Thanks!

 

I am approaching the conversion of some of my sites to https. I assumed that pissants like me are the only ones who were still running on http. Then, after looking around a bit this morning, I am amazed to find billion dollar companies who have not done it yet.

 

In my mind, an info site doesn't need to be https and the display pages on retail don't have to be https... but Google is getting out a carrot and stick to force us into it.

 

But, I am going to do the conversion. Then we can brag that "we protect you better than these billion dollar compaies"

Share this post


Link to post
Share on other sites

The webdev fora FUD on HTTPS is so Google 'requirements' focussed that real data is hard to find - a person whose stats I tend to believe recently surveyed 1100 tld/cctld/etc and found almost all well over 95% of sites still HTTP.

 

I only care about it because browsers require it for http/2 - and once there was a free cert option it was a no brainer.

 

Pages with forms and showing personal data should always be secure - but not just via the HTTPS com link but their backend as well, which so many seem to already fail and fail and fail again with.

  • Like 1

Share this post


Link to post
Share on other sites

@EGOL: We are "in the process" of converting also. I hit on the home depot site and was as surprised as you. Its still http.

 

Google, google, google. They get my goat. Google says something and the web world jumps. How high, Google??? Do they share scraps with us??? Never.

  • Like 1

Share this post


Link to post
Share on other sites
a person whose stats I tend to believe recently surveyed 1100 tld/cctld/etc and found almost all well over 95% of sites still HTTP

 

From what I read on SEO forums, I was thinking that my sites were in the minority for not being https.

 

And, Google is making noise that in about October, http sites are going to give a bad signal in the address window of the browser. So, we have decided to get the sites converted to https and pay a premium price for the security certificates that will trigger the green SECURE and lock symbol in the browser window. Like this. I don't think that you need to have a billion dollar website to get value from the extra cost.

 

Do they share scraps with us?

 

Earl.... they are trying to eat YOUR lunch before you can smell it.

  • Like 1

Share this post


Link to post
Share on other sites

The migration to https thing is weird...i'm sure we've all heard of cases where it did not go well....as an in-house SEO, you've really got to have a defensive stance when it comes to existing traffic, so I see why there is a wait and see approach. Also for large highly trafficked sites like Homedeport for example, switching to SSL is non-trivial.

Share this post


Link to post
Share on other sites

I didn't check the others, but KMart.com goes secure when you hit the login page (which is where it needs to be secure). I would imagine that once you are logged in, it stays on https as well.

  • Like 1

Share this post


Link to post
Share on other sites
KMart.com goes secure when you hit the login page (which is where it needs to be secure).

 

Yep. I agree. I would think that these billion dollar companies would be doing a better job.

 

My main concern with https is with two things. 1) how Google or other search engines might use https as a rankings factor; and, 2) how Chrome and other browsers might make https://mydomain.com look ugly in the browser address window.

 

With #2, visitors might see that and bounce from my site or not engage it or not make a purchase. Bad visitor engagement might be an indirect rankings factor and actually be more important than #1.

 

We have converted all of our sites but one. Each of them took a small traffic loss for a few days, but so far each of them has recovered. We hope to convert out last site next week, ahead of Google's October date when the most recent version of Chrome will place ugly stuff in the address window if your site isn't properly https.

Share this post


Link to post
Share on other sites

Homedepot.ca is and .com is semi.

Sears.com is not. Remember Sears? :)

 

I wonder why they want sites with no login whatsoever to go secure? Or did I read this wrong?

Share this post


Link to post
Share on other sites

The early 2017 Chrome update flagged non-HTTPS pages asking for passwords and credit card data. The upcoming one is supposed to flag any page requesting any input and every page when in incognito or whatever mode that aren't HTTPS.

Note: secure connections block ISPs from scrubbing third party ads and/or inserting their own. Not that that has any bearing.,,

Share this post


Link to post
Share on other sites

Note: secure connections block ISPs from scrubbing third party ads and/or inserting their own. Not that that has any bearing.,,

I think it does. Hmmm also knowing what pages are being seen and then selling this info. Had not thought of this. Had thought of it for keywords.

Share this post


Link to post
Share on other sites

kmart looks fixed but I see what you're talking about with homedepot and kmart

Share this post


Link to post
Share on other sites

Guys and Gals,

 

I'd like to say that It's really nice having an https website for no other reason than there was a time in early web-dev days when it was a) complicated b) expensive c) could impact SEO and d) something the things that dreams were made of. So having an https certificate now - you can even get them for free -is frankly one of those moments you can enjoy.

 

On the other hand Google says it's important to have this for security and users, while at the same time providing an invisible re-marketing technology that ensures web users have the most annoying experience online with repetitive messaging, securely.

 

Take your pick of preference for getting one.

 

Glyn.

Edited by glyn

Share this post


Link to post
Share on other sites

OK! So Let’s Encrypt is a free, automated, and open Certificate Authority. $0.0 https://letsencrypt.org/

 

Being a skeptic knowing nothing is "free", what's their game? Google was really free when they ousted AltaVista and we know their game now.

Asking for donations is not the same as charging. Have no problem with this.

 

Are they going to pull one of those famous free service which becomes a pay service once they have enough users? We have seen this scenario in the "free" mobile testing area and "multiple browser" testing.

 

Hosting companies can't be pleased with this.

Edited by bobbb

Share this post


Link to post
Share on other sites

Let's Encrypt is an initiative of Internet Security Research Group (ISRG), which is a public benefit corporation (basically chartered with purpose of public as well as private profit, sort of like a private Crown Corporation, which have public policy purposes). It's a US 501©(3) non-profit organization. As such it's not likely to get too vicious and greedy.

Current ISRG board members are an interesting cross section of tech, especially due to where members are NOT from:
* Josh Aas (Mozilla Foundation) - Executive Director
* Peter Eckersley (Electronic Frontier Foundation)
* Jennifer Granick (Stanford Law School)
* J. Alex Halderman (University of Michigan)
* Joe Hildebrand (Cisco Systems)
* Pascal Jaillon (OVH)
* Stephen Ludin (Akamai Technologies)
* Alex Polvi (CoreOS)
* Laura Thomson (Mozilla)

Similarly interesting (with one exception) are the current members of Let's Encrypt's Technical Advisory Board:
* Joe Hildebrand (Cisco Systems)
* Jacob Hoffman-Andrews (Electronic Frontier Foundation)
* Russ Housley (Independent)
* Ryan Hurst (Google)
* J. C. Jones (Mozilla Foundation)
* Stephen Kent (Independent)
* Karen O'Donoghue (Internet Society)
* Rich Salz (Akamai Technologies)

That said there is one concern that was voiced before LE's launch and been shown true: because it's free the bad guys, i.e. phishers, have made LE their cert of choice. It is critical to remember that that little padlock means the connection is secure NOT that the connection endpoint is a good place; a difference that most general web users probably won't understand.

As more and more webdevs use LE I expect that end point security hole to become a big and bigger marketing point that Domain Validated (DA aka checked against domain registry) certificates (and what LE offers) are a 'concern'.

The next step up the cert ladder is Organization Validated (OV) certificates validated as per DA above but also against a government business registry database as well.

The current top tier is Extended Validation (EV) certificates, which have legal guidelines:

7.1. EV Certificate Warranties
When the CA issues an EV Certificate, the CA and its Root CA represent and warrant to the Certificate Beneficiaries listed in Section 9.6.1 of the Baseline Requirements, during the period when the EV Certificate is Valid, that the CA has followed the requirements of these Guidelines and its EV Policies in issuing and managing the EV Certificate and in verifying the accuracy of the information contained in the EV Certificate. The EV Certificate Warranties specifically include, but are not limited to, the following:
(A) Legal Existence: The CA has confirmed with the Incorporating or Registration Agency in the Subject’s
Jurisdiction of Incorporation or Registration that, as of the date the EV Certificate was issued, the Subject named in
the EV Certificate legally exists as a valid organization or entity in the Jurisdiction of Incorporation or
Registration;
(B) Identity: The CA has confirmed that, as of the date the EV Certificate was issued, the legal name of the Subject
named in the EV Certificate matches the name on the official government records of the Incorporating or
Registration Agency in the Subject’s Jurisdiction of Incorporation or Registration, and if an assumed name is also
included, that the assumed name is properly registered by the Subject in the jurisdiction of its Place of Business;
© Right to Use Domain Name: The CA has taken all steps reasonably necessary to verify that, as of the date the EV
Certificate was issued, the Subject named in the EV Certificate has the right to use all the Domain Name(s) listed
in the EV Certificate;
(D) Authorization for EV Certificate: The CA has taken all steps reasonably necessary to verify that the Subject
named in the EV Certificate has authorized the issuance of the EV Certificate;
(E) Accuracy of Information: The CA has taken all steps reasonably necessary to verify that all of the other
information in the EV Certificate is accurate, as of the date the EV Certificate was issued;
(F) Subscriber Agreement: The Subject named in the EV Certificate has entered into a legally valid and enforceable
Subscriber Agreement with the CA that satisfies the requirements of these Guidelines or, if they are affiliated, the
Applicant Representative has acknowledged and accepted the Terms of Use;
(G) Status: The CA will follow the requirements of these Guidelines and maintain a 24 x 7 online-accessible
Repository with current information regarding the status of the EV Certificate as Valid or revoked; and
(H) Revocation: The CA will follow the requirements of these Guidelines and revoke the EV Certificate for any of the
revocation reasons specified in these Guidelines.


The price points for OV and EV certs are, of course, also, steps up.
I expect to see more and more 'news' mentions of phishers using LE and the 'value' of EV certs.
Yet another popcorn ready something to watch.

 

First they make the connection secure.

Then they make the endpoint pay to prove they are who they say they are.

Too bad they can't make the enpoint actually secure itself...

Share this post


Link to post
Share on other sites

Ev gives you green toolbar too

Share this post


Link to post
Share on other sites
Current ISRG board members are an interesting cross section of tech, especially due to where members are NOT from:

How so? Like no security companies? I only see 1 hosting company OVH.

EFF, Google, and Cisco are obvious.

 

Web Hosting who support Lets Encrypt

https://community.letsencrypt.org/t/web-hosting-who-support-lets-encrypt/6920

 

Add to that list:

funio.ca yes

GoDaddy No Plan. No kidding. They charge upward of $69 USD Like a million CAD :)

 

Found this site to test certificates if anyone is interested: https://www.ssllabs.com/ssltest/

Edited by bobbb

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×