Amazon redirecting to HTTP

For the past couple of weeks, and have redirected me to Region-specific sites like still work fine. There is probably no MITM attacker, since the secure page is performing the redirect, so a MITM would have to have a valid certificate for, and if so he would presumably not add a redirect.

Questions for Amazon:

  • What the hell?
  • Why does your site work at all without HTTPS?
  • How am I going to buy things now?

It’s 2014, and this is unacceptable for an e-commerce site, plain and simple. Repent by implementing HSTS.

5 Replies to “Amazon redirecting to HTTP”

  1. This is done so that certain oppressive government regimes block only certain pages off (which they can do using a transparent proxy) instead of the whole site, which is generally useful.

  2. Hum… well, something similar goes for Ebay (at least the German version of it). Except, of course, Ebay is worse:
    + going to gives you a warning about them using an Akamai certificate
    + accepting the certificate, you get a “service unavailable” message
    + the only part of Ebay that is encrypted is the log in process
    + you can actually send personal messages to other Ebay members (totally unencrypted, once you have the log-in cookie), I don’t think you can do that on Amazon

  3. Hi!

    In order for an attacker that is sniffing your connection to redirect you from https to http, it is possible without having a valid certificate for that domain.

    Have a look at SSLStrip (2009):

    I was curious about amazon, and I can confirm this happens to me too. WTF Amazon?

    [WORDPRESS HASHCASH] The poster sent us ‘0 which is not a hashcash value.

      1. Since that video didn’t work for me, I just looked this up. Looks like he’s just preventing HTTP pages from redirecting users to HTTPS pages. But of course, the HTTP page is completely insecure, the attacker can do whatever he wants with it.

Comments are closed.