After weeks of emails bouncing back and forth between me and Nike representatives about the lack of HTTPS SSL security on Nike.com, I finally got an email yesterday that Nike has fixed the problem. I was first made aware of the issue by fellow blogger David Berlind's post on Nike's e-commerce failing to implement HTTPS which makes it impossible for shoppers to know if they're looking at the real Nike.com or if they're feeding their credit card information to a criminal posing as Nike.com.
There was a similar case with a large number of American banks that did the same thing and failed to implement HTTPS for their online banking site and most of the banks silently fixed the issue after a few months without informing anyone that anything was wrong in the first place. I wasn't sure if I was getting through to Nike and I was just about to write a blog exposing the situation when I got the email explaining that Nike fixed the problem after some internal meetings and tests to verify nothing would break with their flash-based e-commerce site. Now you go to Nike.com and pick out what you want and right and hit the check out button, you'll be redirected to an HTTPS site before you are asked to enter your credit card information.
There was some initial concern that this couldn't be done while maintaining the session so I was going to suggest encrypting the entire shopping session since encryption is basically free (from a hardware standpoint) these days but that wasn't necessary. I am happy with Nike's overall responsiveness to my complaints and I hope every online site learns from this incident and not make the same mistake again.