0

I was checking out hotel websites for reservations this weekend and noticed hotel giants Hilton and Choice websites are being reported to have valid but insecure SSL.

For Choice, chrome is reporting that attackers might be able to see the images you are looking at on this site and trick you by modifying them. The same message is on their signup and reservation pages.

For Hilton, chrome flat out says you should not enter any sensitive information on this site (for example passwords or credit cards) because it could be stolen by attackers. This is also reported on their signup and reservation pages.

Is there any other way a consumer could securely use these sites or is the best bet to stop doing business with them until they improve their site security?

Update

Since this post, Choice hotel site has been updated.

Here is a pic of the Hilton sign-up page showing insecure. Sign-in and room registration pages are also now showing secure. enter image description here

jtlindsey
  • 225
  • 1
  • 10
  • Browsers report their warnings in different ways and it is a serious problem because users do click through the warnings. It sounds like Chrome is complaining that not all the links are loaded over https, or mixed content (on Choice). I would recommend looking at the certificates as a first step. – pm1391 Mar 11 '18 at 04:51

1 Answers1

2

In case of Hilton Google reports an form with an insecure URL - it seems to be the search form and not the form where you enter personal details. For Choice I currently don't see any problems reported by Chrome.

Is there any other way a consumer could securely use these sites or is the best bet to stop doing business with them until they improve their site security?

There is no definitive answer. It depends on the specific problem and on the risks you are willing to accept in order to achieve your final goal (i.e. booking a room in a hotel).

In this specific case somebody might intercept your search, which you might consider as no big deal. Even if some personal details would be transferred in plain it might be no big deal in case these details are already widely known anyway (i.e. posted on Facebook or similar). If more secret personal data are transferred like credit card data it could be considered more of a problem.

On the other hand HTTPS does not provide 100% security either: it only protects the data against sniffing and modification during transit to the server but not afterwards. Thus for example your credit card data might still get stolen as happend in the past with Hilton but also other hotel chains. Also, HTTPS does not protect you if the site is hacked and serves malicious content to the visitors.

Still, you might see the obvious inability to offer a fully secured connection to their public visible site as a sign that they don't care enough about security in the first place. And you might extrapolate how their internal security will be if they don't even get their public visible security right. Given that you trust them to keep your data safe you might ask yourself if the trust is justified.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424