I just got this mental image of someone figuring out a home address and what you're ordering and sending you a letter asking how you liked it, and recommending x type of tea, since you've ordered y type of tea multiple times... hehe.wyardley wrote: While technically, it's an outside chance that someone could intercept this information if it's transmitted in the clear, I don't think you have much to worry about, even if you're concerned about someone figuring out your home address or what you're ordering.
Re: Yunnan Sourcing New Website
Re: Yunnan Sourcing New Website
True, it is seemingly part of the Amazon Elastic Compute Cloud.wyardley wrote:YSLLC's site isn't hosted in China, and I think you're being a little verly paranoid.
I'm not doing enough online buying with various vendors, so I can't really have stats about that. I took two that adopted the https pattern after use rlogin: amazon and yuuki-cha.I don't think the order information (in particular) or home address information are so sensitive that they need to be encrypted. I can think of plenty of other sites which transmit this sort of data in the clear.
True, and it is annoying.Aside from that, any e-commerce site which emails you back your order information and address is also sending it in the clear, [...]
It's a principle. I do not ride my car with my home address painted on it. To characterize this as some kind of paranoia is a tad ridiculous. Compared to other email users, I do not get much spam. Maybe one a week or so. That is, w/o taking any measures against it. Why put more chances of having more ?While technically, it's an outside chance that someone could intercept this information if it's transmitted in the clear, I don't think you have much to worry about, even if you're concerned about someone figuring out your home address or what you're ordering.
After all, there's also a silly tendancy of writing email addresses in forums with spaces in them or otherwise making them not as obvious. This usage pattern could then also be part of the paranoia gang.
Although there's an issue with that kind of info being sent as cleartext in emails, I do not think that because of that, online vendors should get rid of the pattern that makes it https mode as soon as a user logs in a vendor web site. I think this is good practice and I think they should tackle next the problem with emails. And not dropping all security instead.
That's my two cents.
Re: Yunnan Sourcing New Website
I'm not saying that paranoia itself is a bad idea; just that you shouldn't take the *illusion* of security for security itself. Having all remotely personal data encrypted between you and the website should be the least of your worries. Also, if you think there aren't plenty of people who know, or could get, your home address, I think you are probably being overly optimistic. Credit bureaus, marketing agencies, anyone you've done business with who's shared your address, etc. Between that and receiving order confirmations via email, you might as well drive around with your home address printed on your car.
What I would worry about more than whether all "personal" data is encrypted is where / how the site is hosted, and how data is stored / transmitted once it reaches the store. Having worked in the web hosting business some, as well as working as a systems admin for quite a while, I've seen a lot of online businesses keeping fairly poor security practices (bad file permissions in a shared hosting environment, sending credit card data via email (in some cases breaking up the data between two different email accounts), storing the card data in the clear, etc. etc., and most of this is not stuff you'd be able to tell without being able to audit the shop directly.
Larger / higher profile shops have at least some incentive to keep things on the up and up, and in many cases, are also audited (or do self-assessments) for PCI compliance, which helps ensure that they're at least thinking about these things.
What I would worry about more than whether all "personal" data is encrypted is where / how the site is hosted, and how data is stored / transmitted once it reaches the store. Having worked in the web hosting business some, as well as working as a systems admin for quite a while, I've seen a lot of online businesses keeping fairly poor security practices (bad file permissions in a shared hosting environment, sending credit card data via email (in some cases breaking up the data between two different email accounts), storing the card data in the clear, etc. etc., and most of this is not stuff you'd be able to tell without being able to audit the shop directly.
Larger / higher profile shops have at least some incentive to keep things on the up and up, and in many cases, are also audited (or do self-assessments) for PCI compliance, which helps ensure that they're at least thinking about these things.
Feb 15th, '10, 23:07
Vendor Member
Posts: 2084
Joined: Sep 24th, '08, 18:38
Location: Boston, MA
Re: Yunnan Sourcing New Website
Sigh! I remember 10 years ago when I started internet shopping, I bought lots of nice deals like merino wool sweaters for $5-10, coupon code, free shipped. Then 90% of the women (and men) feel safer and safer online shopping, and nice deals are fewer and fewer! 
I know I am a bit off topic... What I really want to say is, there are always many people who don't feel safe using credit card online, and many of them change views after a few years
I know I am a bit off topic... What I really want to say is, there are always many people who don't feel safe using credit card online, and many of them change views after a few years
Re: Yunnan Sourcing New Website
Well, I saw that (when compared to some other sites) https was not used as much (my experience), so I pointed it out. That single item. That single item on the internet, related to an online tea vendor mentioned in a tea forum. I mean, it was certainly not a consultancy advice about web site/user security 
Storage of data at the vendor's site is also important, as you've mentioned. As well as employee pratices. It's not because that old trick of leaving USB keys around the building for the employees to pick up was used so many times that it will not be used again for instance (and one single example). Simple principles go a long way. I tend to view security in a somewhat simpler form since I'm not using Windows for 10 years now, both at home and at work.
Larger/higher profile shops are better at it ? Surely. Then again I do not think that yuuki-cha would fit in that category. That's why I mentioned patterns. It seems like a well-accepted pattern in dealing with users in online store context to enter https as soon as a user has logged in. I don't know where 'they' learned that, but it makes sense.
Storage of data at the vendor's site is also important, as you've mentioned. As well as employee pratices. It's not because that old trick of leaving USB keys around the building for the employees to pick up was used so many times that it will not be used again for instance (and one single example). Simple principles go a long way. I tend to view security in a somewhat simpler form since I'm not using Windows for 10 years now, both at home and at work.
Larger/higher profile shops are better at it ? Surely. Then again I do not think that yuuki-cha would fit in that category. That's why I mentioned patterns. It seems like a well-accepted pattern in dealing with users in online store context to enter https as soon as a user has logged in. I don't know where 'they' learned that, but it makes sense.