Surprisingly, some major websites only have SSL for the checkout process.
I was investigating datasets at DataProvider this morning and searched for large e-commerce sites that don’t have SSL. I was surprised to see some big names on the list.
Some sites have SSL, but only during the checkout process.
For example, if you go to gap.com you will not be on SSL. When it’s time to check out you are sent to secure-www.gap.com, which does have SSL.
Similarly for HomeDepot, the checkout process is on secure2.homedepot.com.
Neither https://gap.com nor https://homedepot.com resolves.
While it might not be a huge deal to lack SSL when you aren’t submitting passwords and payment information, both of these sites have form fields on non-SSL URLs. Next month Chrome will start showing a security message when someone starts typing in these fields. I’m not sure if this will include the search field, but it will certainly include email opt-in forms and this contact page.
Brookstone.com is another site that has SSL issues. https://www.brookstone.com works, but it doesn’t work if you don’t type the www. Also, visiting http://brookstone.com doesn’t forward you to the SSL version. You only see an SSL when you’re in the cart.
Even there, I went to a checkout page this morning that looks like this:
Although the URL for this page is https://, Google gives a warning that says “Your connection to this site is not fully secure” and warns you to not enter a password.
Shocking to see Home Depot on the list. I believe they suffered a major breach of customer information only a few short years ago.
The list goes on forever of homepages not using https://
QVC.com
BassPro.com
Nordstrom.com
RitzCarlton.com
Samsung.com
Dell.com
Toshiba.com
Disney.com
SirusXM.com
Hp.com
Pfizer.com
Merck.com
Oprah.com
Stayfree.com
to name a few more big ones
I don’t see why a company would opt to only have SSL in certain places and not cover all data sectors. Trying to cut costs maybe? Or maybe they had a bad security advisor?
For a long time SSL pages were MUCH SLOWER to load initially in the browser because a secure connection and handshake had to be established, adding about 1.5s – 2.5s to the page render time.
This was the major reason most services, especially established ones did not use SSL except only when necessary.
However, I was just made aware that recently Chrome+Firefox got together and worked out a way to significantly speed up SSL page loading. Many SSL pages now load faster than non-ssl pages.
However, the legacy code that exists on those major sites will take forever to change.