23

I've been working on my very first web application and I usually refer to Amazon.com as my role model.

I'm very interested in deploying my web application with SSL/TLS. However, there is one thing that I can't understand. Why isn't Amazon's home page address bar colored green? Shouldn't it be encrypted with SSL/TLS to secure the site?

Would it be enough to secure only the payment pages?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
T.O
  • 239
  • 2
  • 3
  • 4
    When you talk about green address bar, you are in fact asking about SSL/TLS with an *Extended Validation certificate* as opposed to "just" encrpytion. When I visit amazon.com, I end up at https: // www.amazon.com, which is of course encrypted with a valid (Verisign-originated), but I also get a warning that my browser is blocking some unencrypted content. On the other hand amazon.de ends up unencypted, https: // amazon.de encrypted with a non-extended certifaicate as well, but without unencrypted content warning ... So a lot of different cases can happen – Hagen von Eitzen Sep 27 '15 at 08:57
  • 1
    Amazon is generally a pretty terrible role model for web development. – Konrad Rudolph Sep 28 '15 at 00:48

2 Answers2

34

Amazon apparently believes that the overhead of TLS is high enough to justify not encrypting traffic when not performing sensitive actions (like placing orders, payment processing, account management, order history, login, etc.). While the server-side cost of TLS is nearly insignificant with today's hardware, it does still have a non-zero cost. Client-side impact can be much worse, especially over high-latency or unreliable links like some mobile connections; TLS can cause significant delays in page loading, which can lead to customers going elsewhere.

I'm personally of the opinion that it's better to use TLS for all traffic until and unless you have a reason not to do so - and there aren't many of those, not that I'd call valid - but I'm a security guy first and foremost. Amazon exists to make money, not to be a role model of secure web development. If all-TLS-all-the-time costs them more than using HTTP sometimes does, then they'll go with the second option even though it exposes their customers to certain types of attacks.

An example of such a risk: although the login form is served over HTTPS, the button that takes you there is served over HTTP. An attacker could use an SSL Stripping attack to modify the home page so that the login button linked to HTTP instead of HTTPS, and the attacker could then spoof the login page when the user tried to log in. The attacker would then get to see the user's credentials. Amazon could prevent this by using the Strict-Transport-Security header, but then they would have to serve the whole site over HTTPS all the time.

As a security role model, Amazon does some stuff very well. For example, their SigV4 scheme provides AWS with authentication, integrity, and a limit on replay attacks. It's good enough that, assuming there's no inherently sensitive data (a credit card number is inherently sensitive; an identifier string that maps to a credit card number is not) in the request or response, it can actually be safe to not use TLS on some AWS functions (though in general they mandate TLS for most of AWS anyhow). Their retail site, however, makes some tradeoffs that sacrifice a little security for the sake of slightly more profit.

If you're looking to emulate Amazon's business success, then copying their security choices might be wise... but also bear in mind that the Amazon.com retail site is old, and has undergone a lot of changes over the years that add more and more security. Given how much it costs them to have any downtime on the site, they are probably very hesitant to mess with it more than they need to. If they were designing the site from scratch today, they might well use TLS for everything, with pre-loaded HSTS. Or maybe they wouldn't; after all, I'm sure they've considered doing that, and have reasons for not (yet) implementing it.

One final note: the site certainly works over HTTPS-all-the-time. My browser actually defaulted to using HTTPS for the retail site, even though I hadn't previously used it on this computer and certainly hadn't logged in or anything. Please don't be one of those sites (looking at you, Slashdot) that redirect users from HTTPS back to HTTP even if the user specifically prefers to use HTTPS.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • 2
    In terms of development time, it is cheaper to use https for everything than to use https where needed and http whenever https isn't strictly necessary. For anybody starting a new site, the difference in development cost is likely more significant than the overhead of https. – kasperd Sep 27 '15 at 14:20
  • 1
    +1 for mentioning overhead—that's why the login/checkout pages are so simplistic. – bwDraco Sep 27 '15 at 16:10
  • Actually... when *I* try to put the https in front of the URL, it actually *removes* it. And it shows my *name* on the page meaning I must be logged in and at least have some kind of session cookie passing in the clear. I think my opinion of Amazon just dropped about nine notches... – Michael Sep 27 '15 at 16:12
  • 2
    If the added latency costs 1% of revenue that's $500,000,000 per year for Amazon. By that fact alone TLS has completely lost the trade-off. – usr Sep 27 '15 at 20:33
  • 2
    I wouldn't recomment copying their security choices to a newcomer. Amazon can have a good security team ensuring that those risky trade-offs are relatively safe (even with then, I would prefer to make my commerce use TLS). A newcomer may easily make a big error on its security while trying to make a trade-off to save a few ms. – Ángel Sep 27 '15 at 22:31
  • For the login page thing: A competent user should always check for TLS before entering their password on a web page. (And the people who wouldn't do this probably wouldn't check the homepage either) – user253751 Sep 28 '15 at 01:06
  • Do you have a reference that says this is the reason why Amazon didn't do TLS for their homepage, or is that just an educated guess? – David says Reinstate Monica Sep 28 '15 at 03:01
  • Educated guess. I know some of Amazon's security folks; they're quite good at their jobs and the company, as a whole seems to take security fairly seriously. They obviously *can* handle HTTPS traffic just fine, so I combined that with some half-remembered comments about how the incremental costs of TLS do add up + the urgency of making pages load as fast as possible (especially on mobile). I don't know for certain, but if you have a more plausible explanation I'd be very interested to hear it. – CBHacking Sep 28 '15 at 07:24
3

If you look at Google, they switched from HTTP to HTTPS in 2011, so it is certainly possible to serve big amounts of requests. Maybe the guys at Amazon are just slower, have more servers, more bureaucracy or decided the few people on old devices/browsers matter more.

Also, making HTTPS the default is difficult right now, because current browsers start every request for a typed in domain name to HTTP first and then get redirected to HTTPS, which is attackable by a MITM.

Vilican
  • 2,703
  • 8
  • 21
  • 35
user87805
  • 31
  • 1
  • 2
    The "make HTTPS the default" solution lies in something called [HTTP Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security), which is (FINALLY!) supported by (the latest version of) all major browsers (IE11 got support just a few months ago). Since HSTS usually only kicks in after the first visit to a site (when the browser sees the header) and can therefore be MITMed on a site you've never visited before, use [HSTS Preloading](https://hstspreload.appspot.com/) for protection from the very first visit. – CBHacking Sep 27 '15 at 19:29
  • 1
    You'd be hard pressed to find two different revenue models than Amazon and Google. Amazon wants to ship boxes to you for money, Google wants to sell you and your personal details to their customers, the advertiser. It behooves Google to make me feel as secure as they can make me since I am their product; Amazon wants to secure the business parts of the transaction and doesn't care as much about the rest. Neither model is inherently better than the other. – msw Sep 28 '15 at 03:21