For the past couple of weeks, https://www.amazon.com and https://amazon.com have redirected me to http://www.amazon.com. Region-specific sites like https://www.amazon.co.uk/ still work fine. There is probably no MITM attacker, since the secure page is performing the redirect, so a MITM would have to have a valid certificate for www.amazon.com, and if so he would presumably not add a redirect.
Questions for Amazon:
- What the hell?
- Why does your site work at all without HTTPS?
- How am I going to buy things now?
It’s 2014, and this is unacceptable for an e-commerce site, plain and simple. Repent by implementing HSTS.
This is done so that certain oppressive government regimes block only certain pages off amazon.com (which they can do using a transparent proxy) instead of the whole site, which is generally useful.
Hum… well, something similar goes for Ebay (at least the German version of it). Except, of course, Ebay is worse:
+ going to https://www.ebay.de gives you a warning about them using an Akamai certificate
+ accepting the certificate, you get a “service unavailable” message
+ the only part of Ebay that is encrypted is the log in process
+ you can actually send personal messages to other Ebay members (totally unencrypted, once you have the log-in cookie), I don’t think you can do that on Amazon
Hi!
In order for an attacker that is sniffing your connection to redirect you from https to http, it is possible without having a valid certificate for that domain.
Have a look at SSLStrip (2009):
http://www.thoughtcrime.org/software/sslstrip/
I was curious about amazon, and I can confirm this happens to me too. WTF Amazon?
[WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.
That is good to know….
Since that video didn’t work for me, I just looked this up. Looks like he’s just preventing HTTP pages from redirecting users to HTTPS pages. But of course, the HTTP page is completely insecure, the attacker can do whatever he wants with it.