Secure shopping?

[sparkle]

I was recently told by a friend that a lot of internet sites that say they have secure shopping pages are not secure to shop on. According to him, even if you enter 'secure' pages and see the padlock symbol, there should also be an 's' added to the html at the bottom of the screen as you view these pages. One site he mentioned where the 's' does not appear is Kiddicare.com and I know a lot of mumsnetters shop there, myself included. Does anyone know more about this as i'm not too clued up about web shopping?

you're right- it does need an s at the end of http

sorry I meant to say the 's' should come at the end of the 'http' at the bottom of the page

Rubbish - when you check out it turns into www.kiddicare.com/bin/venda and has a padlock. Panic not, mumsnetters!

whoops crossed posts Pixifish.

Its worrying that these sites are saying they are secure and are not. I must admit I didn't know anything about this and was just satisfies with seeing the padlock on the screen.

Lots and lots of apologies everyone. Georgina A is right and after check out it does come up https. My friend was just adament it had not come up when he tried to shop and stupidly I didn't check first before posting
This will teach me not to jump in with half a story!

LOL... easily done

(background: 2 years (and counting!) web applications developer. i.e. not a web designer - I can't tell you if two colours look good together or not!)

Summary cos I wrote more than I thought I would:

1. Make sure there's an in the address bar.
2. Make sure the rest of the address is believable
3. Check there's a padlock.
4. Shop!

Personally, I wouldn't give my card details to a site that failed these points.

The detail:

As far as I am aware, there are no webservers configured to send SSL (secure) pages via the protocol. i.e. a site is not secure if the url (address) doesn't start with "https://". With secure online shopping, this is your first port of call: don't put credit card details into a page that doesn't have "https://" at the start of the address. If you find an instance, please let me know at rob [at] akrabat.com as I'd love to see a "real live specimen".

Your second point of call is to make sure that the bit immediately up to the next forward slash is what you expect. e.g. if you subscribe to mumsnet they tell you that they use worldpay and then when you go to pay, you are taken to "https://select.worldpay.com/..". Thus you are happy with this address. If you had ended up at "https://mumsnet.example.com" you might be wondering why example.com is trying to look like a valid musmnet store and trying to take your money

The next thing to check is to look for a padlock. The padlock is indicates that there is an encrypted link between your browser and the website. That's all it does. It does not say that the website is the right website or anything else.

Technically, you should then click the padlock and read the certificate information and check that the information ties in with the site's address. Noone ever does this though! To continue our subscription to mumsnet, the certificate says the following in my browser:
Issued To:
Common Name (CN) select.worldpay.com
Organization (O) WorldPay Plc
blah blah
Issued By:
Common Name (CN) Thawte Server (CA)
blah blah etc

The "common name" in the issued to section is the address of the website. If there is a difference, you should be wary. If they are the same and the rest of the info like expiry date seems valid, then the certificate is likely to be ok. I say likely, because previous versions of Internet Explorer have had security holes allowing this info to be spoofed. As far as I know, if you are using the latest version of Internet Explorer, Opera or Firefox then there are no known vulnerabilities in this bit.

At this point, you can shop in the knowledge that giving your credit card to the site is safer than to the waiter in your local restaurant

OMG Georgina - is nothing sacred. Tell your DH to get back to his own websites

laugh ... just seen your message, prufrock