The state of UK Supermarket Online Security
I have used the Waitrose online shopping service for a while and noticed last week that some of their website practices looked less than ideal, so I checked further.
Here is a snapshot of some trivial checks taken on the 25th January 2016. I hope that by the time you read this, then the situation has been improved.
The checks made were rather simple and I am reporting my findings, not making any suggestions or recommendations.
- Check the SSL server using the freely available Qualys SSL Labs server test.
- See if the site's login form is loaded via HTTP or HTTPS. Troy Hunt explains in his post from 2013, Troy Hunt: Your login form posts to HTTPS, but you blew it when you loaded it over HTTP why this is not a secure strategy.
- See if the site is served entirely via HTTPS or is a mixture of HTTP and HTTPS. This may or may not be a problem, but some sites with this configuration may be subject to a session hijacking.
The findings are in the table below.
Store | SSL Labs Score | HTTP Login Form | Mixed HTTP/HTTPS | SSL Issues |
---|---|---|---|---|
Morrisons | A | No | No | |
Ocado | A | No | No | 1 |
Sainsbury's | B | No | Yes | 2 |
Tesco | B | No | Yes | 3 |
Asda | C | Yes | Yes | 4 |
Waitrose | F | Yes | Yes | 5 |
SSL Issues
- Intermediate certificate has a weak signature. Upgrade to SHA2 as soon as possible to avoid browser warnings
- This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. Intermediate certificate has a weak signature. Upgrade to SHA2 as soon as possible to avoid browser warnings.
- This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B
- This server uses RC4 with modern protocols. Grade capped to C. Intermediate certificate has a weak signature. Upgrade to SHA2 as soon as possible to avoid browser warnings
- This server is vulnerable to the POODLE TLS attack. Patching required. Grade set to F
I do not wish to suggest that this is an exhaustive study of the online shopping systems of these provides, but it could be used as simple template for people to use as a starting point to see if the online systems they use contain any glaring holes.