12

So, I am having this issue where I want to buy a specific wacom product but their online store eu-store.wacom.com and us-store.wacom.com, even though it is being accessed through https, does not convince my firefox that it's safe.

Firefox reporting that the connection is not secure

The actual wacom homepage www.wacom.com shows up with a proper green lock and is verified by godaddy. Their eshop is under the same wacom.com domain but the godaddy verification is missing.

My questions are, why is this inconsistency happening, how can I verify that the store page is indeed wacom's, and ultimately, is it safe for me to purchase stuff with my card through it?

Eternal_Light
  • 231
  • 2
  • 6
  • 23
    Just an FYI, if a site was compromised and modified (not redirected to another malicious site), it will still show a green "secure" icon since those certificate checks only verify the certificate and URL. – user Aug 19 '19 at 13:48
  • 1
    Similar issue to https://security.stackexchange.com/questions/147928/what-does-this-https-not-fully-secure-warning-mean but a different warning as its a different web browser. But fundamentally the same issue – User1 Aug 20 '19 at 11:56
  • As an additional safeguard, many credit cards and banks now offer virtual account numbers, sometimes called “ShopSafe” or similar. You log into your account online and generate a disposable credit card number to use for a single purchase or a single recurring purchase, for a specified amount. If the number is later compromised it won’t matter. – Wildcard Aug 20 '19 at 16:24

3 Answers3

15

On eu-store.wacom.com, some images from their Amazon CDN are requested over http instead of https. This can be solved by installing HTTPS Everywhere and turning on "Encrypt All Sites Eligible":

enter image description here

The gray padlock means all resources are served securely. So the webstore is most likely not compromised. They are still using an outdated cipher based on CBC and SHA1, so a nation-state power might still be able to intercept or even MITM the connection.

Jenessa
  • 1,086
  • 1
  • 8
  • 13
  • HTTPS Everywhere uses a whitelist approach, which is inherently flawed. I would instead recommend "Smart HTTPS" or any other addon that enforce HTTPS really everywhere (then fallback on HTTP on issues). – A. Hersean Aug 19 '19 at 14:58
  • @A.Hersean I don't know about the Firefox version, but the chrome version only seems to work for url-bar urls, not image loads or fetch requests. That kind of defeats the point :( – Jenessa Aug 19 '19 at 15:06
  • 5
    @A.Hersean HTTPS Everywhere does have a "Encrypt All Sites Eligible" mode that requires an explicit confirmation before allowing unencrypted requests, but it is off by default so it should probably be mentioned in the answer. – AndrolGenhald Aug 19 '19 at 16:03
  • 1
    You're right Smart HTTPS does not block image loads over HTTP, but I have another extension that blocks them, so I didn't mind. I tried "Encrypt All Sites Eligible" in the drop down menu of the addon: it's a new feature I didn't know, and it appears to work as intended. I agree with @AndrolGenhald : it should be mentioned in the answer. – A. Hersean Aug 19 '19 at 16:43
  • Yep, sorry guys. I forgot you had to manually turn that on. I've added it to the answer – Jenessa Aug 19 '19 at 18:03
  • Thank you very much for your reply. How can I deduce that it's some pictures that got served unencrypted and there's no security risk if I ever come across a similar situation again? Or is it safe to assume that it's gonna be just pictures in most cases? – Eternal_Light Aug 19 '19 at 18:11
  • 1
    If this scenario occurs, all active and active mixed content will be blocked. The only passive content allowed via http will be (from https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content): , – Jenessa Aug 19 '19 at 18:14
8

My questions are, why is this inconsistency happening

This is known as mixed-content,where the page is loaded with HTTPS,while some parts(images) are loaded via Insecure HTTP.

how can I verify that the store page is indeed wacom's

As long as your system has not been compromised then the only way is to use HTTPS everywhere and visit the correct URL or else the HTTP can be MITM and the response returned could itself be a phishing page.


NOTE:-This answer ignores all the other web/browser vulnerabilities.

is it safe for me to purchase stuff with my card through it?

Well they probably redirect you to a different website when its time to pay which might use HTTPS.Apart from that images can be tampered with in a MITM situation.The most an attacker can do is

Attackers may be able to manipulate parts of the page, for example, by displaying misleading or inappropriate content, but they should not be able to steal your personal data from the site.

yeah_well
  • 3,744
  • 1
  • 14
  • 31
  • This answer has some problems, for example "As long as your system has not been compromised then the only way to know is to visit the correct URL.For ex you know google is at www.google.com" is not true if Google doesn't use HSTS Preloading and you're visiting for the first time – Jenessa Aug 19 '19 at 12:43
  • Phishing usually have different urls. But if eu-store.wacom.com was being MITM'd (due to disfunctional https), it could be a phising site while still having a legitimate url right? So just checking the url is not enough – Jenessa Aug 19 '19 at 12:59
  • @Jenessa i understood your point and edited. – yeah_well Aug 19 '19 at 13:35
5

On eu-store.wacom.com, some images from their Amazon CDN are requested over http instead of https

Let me continue from that. Firefox says it's not 100% secure because it's loading unprotected content. I would say, naively... it's 95% secure

Now, it doesn't mean the site wacom.com is not legitimate, but perhaps misconfigured. If you buy today from that site, it's not likely that you are paying a scammer pretending to be Wacom, but see later.

On the contrary, unprotected content served over http can be a danger to Wacom themselves who did not configure their store correctly.

Apart from what government-level attackers can do, here are some examples of what a real attacker can do on a MitM attack over plain old http:

  • Images served over http may display something else than the product you are going to buy
  • Javascript (and possibly CSS) served over http can be altered and cause any possible harm, including sniffing your credit card number
  • Iframes served over http can be altered and cause a number of damages, but probably not sniff your CC number (correct me if I am wrong)

Of course I am speaking from a more protocol-theoretical PoV.

So...

how can I verify that the store page is indeed wacom's?

Yes, they are them. The site is not compromised, but vulnerable

is it safe for me to purchase stuff with my card through it

Probably from your home network. I would always avoid sensitive browsing over public wifis or Tor without proper encryption

usr-local-ΕΨΗΕΛΩΝ
  • 5,361
  • 2
  • 18
  • 35