Indian e-commerce is growing at an incredibly frantic pace. There are tons of new e-commerce sites mushrooming in variety of verticals spanning electronics, books, gift items, vitamin supplements, foreign importers etc.
Unfortunately the awareness among Indian customers and e-commerce site owners regarding the risks of online scam, phishing and what not remains concerningly low.
SSL Security is one basic step that every e-commerce site must take at the very minimum. Doing so will at least ensure that transactions between an e-commerce site and its customers remain private. This is critically important in India, especially because a large portion of the population there uses shared internet (i.e. cyber cafes).
It has come to our attention that a very famous site known as SnapDeal.com which is essentially India’s Amazon, has not been using SSL properly at all. Just imagine one of the largest shopping sites in the entire country with over 1.2 billion customers transferring confidential details such as address, email, phone number, credit card, and online banking details in just plain text! To say that we were shocked would be a vast understatement. Just take a look at the screenshots to follow as proof :
Why is SnapDeal.com non-trusted with their security?
- They don’t have “HTTPS” or a “SSL Certificate” installed on their website.
- They use a text to gain trust of security, “100% secure shopping guarantee”. A website simply cannot be secured without any “HTTPS” or “SSL certificate” security installed, anything else is an indication of an online scam or fraud.
- Even visitors know they should only enter credit card information on a secure page, something that can easily be identified by the LOCK Symbol located with the frame, status or address bar of a trusted browser. Just by gathering user credit card information on their unsecure payment processing pages, SnapDeal.com is putting their users’ private information at extreme risk. How could they say they are secure and don’t store credit card details without using ““HTTPS” or “SSL Certificate” security?
Finally, we confirm without a single doubt that Snapdeal.com, one of India’s largest e-commerce platforms, simply doesn’t care about user safety on the web. They have been displaying a logo of Trust Pay everywhere on their website, however, Trust Pay is not a Security Authority. It’s actually what is known as a Financial Conduct Authority which only deals with payment processing and has no responsibility whatsoever for web page security.
As you can see this is one giant disaster waiting to happen. Just imagine what could happen if a fraudulent site called “SnopDeal.com” pops up, perfectly imitating the website design and all their products in order to lure customers into a huge phishing SCAM!
How they can secure their business and users information with SSL Certificate security?
Conclusion:
In today’s world where sensitive information so routinely traverses what is known as the internet superhighway, SSL Certificates have become an increasingly crucial part of e-commerce. It is for that very reason that one should never hesitate to make the online business experience a much safer and secure one for users on the web with an SSL certificate.
Update: This write-up has been edited following SnapDeal’s official response, which goes as:
We totally understand the concern that a customer would have in making a purchase online. As we promise, we ensure secure shopping for all our customers. No financial data is gathered without a secure layer transaction. The iframe that gathers financial data is completely secure and is posted through a HTTPS url as you can notice in the screenshot here: http://bit.ly/Secureshopping
Also, please note that Trustpay has always been a promise to protect customers with 100% moneyback guarantee if there is an issue with product quality, size or delivery.
Once again, we would like to highlight that 100% secure shopping is being ensured through secure payment gateways implementing SSL for all financial transactions. Hope this clarifies your concern and we would be glad to answer any further queries you might have.
Update 2: Mr. Jim Armstrong, Founder and CEO, RapidSSLonline responds:
Snapdeal: Certainly, if you gather data through HTTPS iframe within a page served over HTTP, then it will not assure users that they are dealing with secure page. The following iframe can be hijacked or altered in a simple attack such as an iframe injection. And the following attacks can be implementing through a virus, a Trojan, visiting a malicious websites.
here is the conversions report from http://
security.stackexchange.com/ questions/894/ are-there-security-issues-w ith-embedding-an-https-ifr ame-on-an-http-page
Disclaimer: The views expressed, and any inferences drawn herein are those of the author alone, and do not necessarily represent the policies, positions, strategies or opinions of DailyHostNews.
Hello Snap Deal.
Here is the answer for your comment
Any page asking for private information should be secured via http and the lock on the browser bar should be visible to the user for trustworthiness. You can’t hide https in a http page. You should ideally have https on both the iframe as well your site itself. Cost of Cert is just Rs. 1000/year; I don’t see any reason why you shouldn’t have it.
The way you have embedded payment gateway also have some security implications. Its best that you hire some security consultant before it’s too late. We neither do security audit nor do we have any recommendation. But we surely like Snapdeal, please make it SECURE!