I used to have a shopping fetish.
It's a little better now, thank you.
Occasionally, though, late at night -- especially if it's been a torrid day -- I might be tempted to buy, you know, a pair of sneakers I don't need. Or a sweatshirt I definitely don't need.
And this time, H&M was begging me.
The retailer had send me a quaint little postcard that read: "Long time, no see!" It offered a 20 percent discount if I'd just please, please do a little shopping with the store online.
In the early days of H&M, when it was Swedish and strange, the store was a must. These days, it's ubiquitous and conventional, so I don't often visit.
This time I succumbed. I found a nice black sweater that I'd probably wear twice and proceeded to check out.
The site asked me to log in. I began the process and suddenly I heard a scream. Well, technically I saw one.
It was a message from Firefox: "The connection is insecure. Logins entered here could be compromised."
But I've logged in to the H&M site countless times and never seen this before. And, surely, the naive shopper might think these major retail sites wouldn't be so careless.
So, I didn't buy the sweater and asked Firefox's parent Mozilla what was going on.
Mozilla's fine engineers offered me this delightfully detailed reply:
If you go to the main site of this retailer https://hm.com/ without any cookies you'll get redirected to their country chooser at https://www.hm.com/entrance.ahtml?orguri=%2F. Most of the country-specific site links have a padlock icon next to them, and the US URL does have an https:// link. It looks like they know what they ought to be doing, but that https:// link. then redirects to insecure http: so the implementation is lacking. There is a tiny "sign in" link at the top that would be insecure.
This seemed like the height of carelessness. How could a major retail site have such a poor redirect?
How could its engineers not have spotted what seems like a blatant disregard for basic security?
Despite several attempts to contact H&M, I was unable to secure a response.
Most shoppers surely wouldn't have paid attention to whether there's a little padlock in their browser to show a site is secure. Perhaps not all browsers would have sent the sort of warning that I received from Firefox.
Yet Mozilla's engineers dug further to see how this insecurity might have been avoided. They told me:
If you ignore that sign in and just add an item to the cart, when you go to checkout the site switches to the https:// version of the site for login. So they sort of get it, and our browser warning will protect people from using the insecure sign-in too early in the process.
Please, I'm shopping. I'm just trying to make H&M feel better about me not visiting it for a while. And now I have to go through these hoops, just so that my personal details aren't pilfered?
Mozilla's engineers offered me one final kink, one that made me not want to buy an H&M sweater again:
Of course if you sign in securely and then go back to shopping they're then sending the auth cookies unprotected so that's still insecure, but at least the eavesdropper could only reuse the cookies to get into your account for that session and wouldn't know the actual password.
I wonder when H&M will send me its next hurt postcard.
Previous and related coverage:
Apple claims that half of all retailers in the United States accept Apple Pay. While we couldn't visit all retailers, we did visit a random selection locally, which is a good reflection of what you might find. The results were not promising.