Tech Shakedown #7: Do Nike.com's Flash based payment pages pass the security test?
A couple of weeks ago, I paid a visit to Nike.com in search of some specific sunglass frames to replace Nike ones of mine that broke. The broken pair included some prescription lenses and I was hoping to find the same frames so that I didn't have to bear the cost of getting new lenses as well. Fortunately, what I couldn't find at my local optician's store was indeed available through Nike.com. One thing I noticed upon arriving at Nike.com is how fully its Web site is based on Adobe's Flash technology. In fact, it's a real showcase for how well Flash can be put to work in order to bring a shopping site like Nike's online store to life.
But what I wasn't expecting was that the so-called "money pages" -- the ones where you input your shipping address and credit card information -- were Flash-based as well. You almost never see this on the Web. Usually, by the time you get to the forms where you must input such personal information, the site flips back to a basic HTML mode. Not only that, if the shopping site follows the norms of the Web (as it should), the Web address prefix flips from "http" to "https" and a padlock appears in the browser's lower right-hand corner indicating that it's operating in a secure mode under which information being transferred across the Web gets encrypted.
For years now, Web users have been blitzed with instructions to look for the infamous "https" and the browser padlock before proceeding with sensitive transactions (purchases, online banking, etc.). But, when a browser gets taken over by the Flash runtime for those transactions, it's not so easy for the browser to know when information is being transmitted in the browser's secure mode, otherwise known as SSL.
In the case of Nike.com the visual cues that Web users have been taught to look for never appeared when I purchased my new sunglass frames. It caused me to wonder whether my personal information was being securely transmitted or not. Wisely, Nike has added some special links in its Flash-based interface in an effort to answer that question. But how do you know it's true? For the most part, you can trust your browser to be an independent judge of what's being sent across the wire. When you see the padlock and https in the URL field, it's like an objective auditor telling you what's happening. But, when it's just a reassuring public statement on a Web site, how can you be sure.
To double check, I decided to do a security "shakedown" of Nike's Flash-based interface using the open source-based Ethereal protocol analyzer running on Linux. If Nike's Flash-based interface was encrypting the personal information being sent across the wire, Ethereal's protocol analysis tool would show HTTPS as the protocol and the contents of the packets would be scrambled. Without encryption, the information I was sending down the wire would show up in clear text which wouldn't be good.
As you can see from the video, Nike's Flash-based interface had indeed flipped into a secure mode and was using HTTPS to transfer my personal data (resulting in that data's encryption). That said, I still think Nike should do more. Also in the user interface is a large Verisign logo that when clicked-on, basically says that users should be looking for "https." Meanwhile, even though the site was using HTTPS to transmit my personal data, my browser (Firefox) wasn't reflecting usage of the Web's secure protocol. Also, when entering shipping and billing information, Nike eases the data entry process by allowing you to copy the shipping name and address into the the credit card billing form. But not only doesn't the telephone number get transferred (forcing one to re-enter it), birth date is one of the required fields (odd).
In the bigger picture, as more and more shopping sites look to rich media platforms like Flash, Java, and Microsoft's Silverlight to breath interactive life into their catalogs, the more we're going to see those sites also using those platforms to finish the transactions as well. Not only is it beholden upon those sites to make sure personal information is encrypted before being transferred across the Web, there needs to be some standard, independent way to visually indicate that these technologies have flipped into a secure mode. Perhaps a signal can be passed to the browser that results in a padlock. Or maybe the industry can standardize on some sort of interactive pop-up. Given how the sporting goods company is living on the bleeding edge of interactive online shopping, I guess Nike did the best it could given no such standards exist (and, it used inaccurate boilerplate text from Verisign). Maybe it could have gone further. Overall, I give the Nike site a B+. Watch the short video and tell me what you think in the comments below.