Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

SSL: The Sites Which Don't Want To Protect Their Users

November 24, 2010 - 2 min read

Last week I explained some of the challenges that websites face to switch to SSL to protect their users. The main challenge is to send the correct SSL certificate in all cases.

Some websites make it very hard, or even impossible, to use secure connections to protect their sessions. It has been exactly a month since Firesheep was released to demonstrate the problem of session side-jacking, but these websites are still not willing to do anything about this problem.

Here are some of these sites, all part of the list of domains monitored by Firesheep.

Amazon: no HTTPS for you!

It is just not possible to use! This address redirect users to

Permanent redirection from HTTPS to HTTP

To their credit, users must login again over HTTPS to make an order, but Amazon still provides plenty of information about their users: first name, last name, what they're interested in, full access to their shopping cart, etc. certificate

If you go to, you get a certificate for  This isnt very helpful for users not aware that BaseCamp is a product from the company 37Signals.

SSL certificate valid for a very different domain name

Facebook: hidden HTTP connection, HTTPS login fails

I logged into my Facebook account using Out of the 10+ requests required to display my home page, one of them is done to This request does carry all the cookie values needed to hijack my account. There is currently no way to surf Facebook safely.

Unsecure HTTP connection
There is a worse scenario. I logged out of my account, and went to the secure login page I entered the wrong password by accident. I was then redirected to the secure page There, I entered my password correctly. But I was redirected to the unsecured (no HTTPS)!

Redirection from secure login page to unsecured home page

Although Firesheep has made a lot of noise, and the issue of session side-jacking has now been widely reported on, even the major sites have not taken the necessary actions to protect their users. It is very sad to see sites such as Facebook, widely used and by a large and diverse audience, are still very insecure.

This was just a quick review of a few sites, I'm sure plenty of other sites have the same weaknesses.

Happy Thanksgiving!

-- Julien
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.