The costs of running this huge site are paid for by ads. Please consider registering and becoming a Supporting Member for an ad-free experience. Thanks, ECF team.

Before you click that "order" button

Discussion in 'Computer Security' started by retired1, Jul 26, 2016.

Thread Status:
Not open for further replies.
Image has been removed.
URL has been removed.
Email address has been removed.
Media has been removed.
  1. retired1

    retired1 Administrator Admin Verified Member ECF Veteran

    Supporting member
    Apr 5, 2013
    Texas
    Before you order online from any company, there are a few things that you need to check. And if it's a new company, or one that you've never ordered from in the past, a few checks that may surprise you with their results.


    First of all, is the site secure? Does it have a valid SSL certificate? Is it valid just for their shopping cart or the entire site? (Look for the green padlock in your browser's URL bar.) If you don't see the green padlock, the site isn't secured with a SSL certificate. Browsing should be fine, but I personally wouldn't enter any information on a page that wasn't showing a valid SSL certificate.


    If this is a new site, or one that you've never ordered from before, you may want to do a couple of other security checks just to put your mind at rest.

    The first check is from SSL Labs.

    SSL Server Test (Powered by Qualys SSL Labs)

    It takes a couple of minutes to run, and will give you a resulting grade. Anything below C should be an immediate indicator to flee the site and never return. A grade of A or B is OK. Technically, a grade of C isn't something I'd condemn outright, but personally, I wouldn't submit personal information. It depends on why the check came back with that grade. That's just me.

    For example: Let's say you plug in site "xyz.com" and it comes back with a grade of F, and the reason for the failure is they're running a vulnerable version of OpenSSL (yes, even today there are some incompetent admins who shouldn't be administering servers that talk to the Internet).

    A failing grade in this case has a couple of worrying issues. First and foremost, it's obvious your information isn't secure on this server. But the most worrying aspect would be that the server is most likely compromised and has been for some time. And until a full blown security audit has been accomplished on that server, it's doubtful it can be trusted for anything until it's taken offline and fixed.

    Another good site you can use to run a quick check is Sucuri.

    Sucuri Security

    This check scans for some of the more common issues found on some sites and will even let you know if it's showing up on email blacklists. If Sucuri thinks the site is compromised, it'll tell you as well. If that shows up, flee. Do not return.


    Obviously, there's no way to tell if a site is really secure without some serious pen testing and for the average user, that's not a realistic expectation. But the online tools I mentioned above can give you a pretty decent idea of how well the company treats its online presence.
     
    • Like Like x 42
  2. sonicbomb

    sonicbomb Vaping Master Verified Member ECF Veteran

    Feb 17, 2015
    1187 Hunterwasser
    Nice one, it's not like PKI is an easy thing for anyone to understand.
     
  3. retired1

    retired1 Administrator Admin Verified Member ECF Veteran

    Supporting member
    Apr 5, 2013
    Texas
    For the end user, PKI isn't something they should have to worry about. Unfortunately, there are far too many server admins who think tossing a SSL certificate into the mix is fine, and they totally ignore the ciphers that are used to negotiate the secure connection. So the end user SHOULD worry, which is why I provided the testing tool links in the first post.

    For example, there are servers out there that still support SSL2 and SSL3 ciphers (a sure fire way of getting a grade of C through SSL Labs). A 15 second configuration edit on the server would fix this (and that includes the http restart).

    It continues to amaze me that there are admins who don't keep their servers up to date with the latest security updates (there are TONS of servers out there that have an OpenSSL vulnerability) and conduct e-commerce on those servers. There's really no excuse for that. Especially as most server operating systems have the ability to set a cron job to pull in updates on a daily basis.

    Go to SSL Labs and look at the test page. You'll see the good and bad, with a ton of failures due to OpenSSL issues.

    SSL Server Test (Powered by Qualys SSL Labs)
     
    • Like Like x 3
  4. r77r7r

    r77r7r ECF Guru ECF Veteran

    Feb 15, 2011
    Pa,LandOfTaxes
    The first supplier from ecf that I tried got an "F". I was thinking of finally buying from them just today.
     
    • Like Like x 1
  5. r77r7r

    r77r7r ECF Guru ECF Veteran

    Feb 15, 2011
    Pa,LandOfTaxes
    Two F's and a T, so far. Places that I have ordered from regularly, sigh.
     
    • Like Like x 1
  6. Bonskibon

    Bonskibon Vaping Master Verified Member ECF Veteran

    Dec 11, 2015
    USA Northeast
    Thank you for the information. Bookmarked the test site.
     
    • Like Like x 1
  7. retired1

    retired1 Administrator Admin Verified Member ECF Veteran

    Supporting member
    Apr 5, 2013
    Texas
    A "T" doesn't necessarily mean the site in not secure. Many of the e-commerce sites like 3D Cart, Shopify, Big Commerce, etc. have blanket certificates for all their customers. It may be something as innocuous as a name mismatch, which shouldn't be cause for alarm on sites like that.
     
    • Like Like x 2
  8. retired1

    retired1 Administrator Admin Verified Member ECF Veteran

    Supporting member
    Apr 5, 2013
    Texas
    I should also add that if you ordered from a site that turns up with a failure, you should give serious thought to replacing your credit/debit card (if that's what you used) before the info turns up elsewhere.
     
    • Like Like x 3
  9. tmcase

    tmcase ECF Guru Verified Member ECF Veteran

    Apr 20, 2011
    Rave's neighbor!
    Thanks for these links.
     
    • Like Like x 1
  10. Katdarling

    Katdarling Bling Kween and spreadsheet monster. ;) Verified Member ECF Veteran

    Supporting member
    Jan 25, 2011
    Utopia
    GREAT info, retired1.
     
  11. beckah54

    beckah54 Ultra Member Verified Member ECF Veteran

    Jun 27, 2009
    Ohio
    My card was recently compromised so I really do appreciate the links. I have them bookmarked for future use. Thanks retired1!
     
    • Like Like x 3
  12. aceswired

    aceswired Ultra Member Verified Member ECF Veteran

    Oct 3, 2013
    Minnesota
    Good info. Just last week I got a fraud alert on mine. No idea where from, but I'll be running this in the future. Thank you!

    Sent from my SM-T320 using Tapatalk
     
    • Like Like x 3
  13. Racehorse

    Racehorse ECF Guru Verified Member ECF Veteran

    Jul 12, 2012
    USA midwest
    Very nice posts!

    I'm gonna add one if its okay. Before clicking "Buy".......I always make sure the company has a phone number and address listed on their site.

    It not.....they don't get an order from me.
     
    • Like Like x 6
  14. retired1

    retired1 Administrator Admin Verified Member ECF Veteran

    Supporting member
    Apr 5, 2013
    Texas
    ECF registered suppliers are required to have that info on their site. ;)

    I generally don't order from sites that have their registration information masked, either. If you're trying to keep site ownership a secret by masking the domain registration and not including a physical address and phone number on the site itself, you're definitely not getting my business.
     
    • Like Like x 4
  15. subwayaznm

    subwayaznm A Geek with a Cool slice Verified Member

    Jan 24, 2016
    USA
    Some great advice. Thanks for sharing
     
    • Like Like x 2
  16. retired1

    retired1 Administrator Admin Verified Member ECF Veteran

    Supporting member
    Apr 5, 2013
    Texas
    • Like Like x 3
  17. retired1

    retired1 Administrator Admin Verified Member ECF Veteran

    Supporting member
    Apr 5, 2013
    Texas
    • Like Like x 7
  18. LoriP1702

    LoriP1702 Ultra Member Verified Member ECF Veteran

    Supporting member
    Thanks for the heads up, and for looking out for all of us!! :wub:
     
    • Like Like x 2
  19. retired1

    retired1 Administrator Admin Verified Member ECF Veteran

    Supporting member
    Apr 5, 2013
    Texas
    • Like Like x 4
  20. LoriP1702

    LoriP1702 Ultra Member Verified Member ECF Veteran

    Supporting member
    Just a matter of "when", not "if" your card info will be compromised.
    Sad times we're living in. :(
     
    • Like Like x 1
Thread Status:
Not open for further replies.

Share This Page