eBay

evry1nositswindy · ‎12-19-2018

I was shopping another seller's store last night and this morning and when I look at his listing, it says https. When I click on seller's store, I see not secure. I looked at my own store and it doesn't do this. I took this picture of the screen. I let the seller know, but he wasn't sure what to do.

evry1nositswindy • seller since 2013
Volunteer Community Mentor

berserkerplanet · ‎12-19-2018

The link to the sellers store on their profile page is https://www.ebay.com/str/casesandeverythingelse

Link on top of search results page (blue door icon) is https://www.ebay.com/str/Cases-and-everything-else

Link on each search result on results page (blue door icon) is http://stores.ebay.com/Cases-and-everything-else

Link on any particular listing page is http://www.ebay.com/str/Cases-and-everything-else

The profile page link, top of search page link, and listing page links redirect twice, while the search result door icon links only once (since those targets are already the target of the first internal redirect):

07:52:56.767	0.622	2354	327	GET	301
 https://www.ebay.com/str/Cases-and-everything-else
  Redirect to: http://stores.ebay.com/Cases-and-everything-else
07:52:57.404	1.216	2265	229	GET	301
 http://stores.ebay.com/Cases-and-everything-else
  Redirect to: http://www.ebaystores.com/Cases-and-everything-else

(note that the intermediate target - the stores.ebay.com URLS - are also HTTP and insecure)

All end up on this store page http://www.ebaystores.com/Cases-and-everything-else which is an HTTP page and not secure.

I think what is happening here is that that seller is still on the old store format, and I believe either not being transitioned to HTTPS (since all stores are supposed to move to the new layout?), or is low on the priority list for transitioning to HTTPS.

Yes, it may be off-putting to some buyers who are not tech savvy (I don't believe there is any point in anyone bothering with a man in the middle attack for a store page so I see it as a non-issue).

So really not an issue other than the fact that some will run around in circles with their hands in the air crying "eBay has been hacked!".

As I mentioned above, I'm not sure if eBay is planning on transitioning those legacy store pages eventually (I don't have a store - so no skin in the game), or isn't bothering because they want everyone on the new store pages that don't have this problem.

If that seller has an issue with the situation, he can switch to the new store layout (I think) if he believes the tradeoff is worth the added buyer security peace-of-mind.

Let's see what @shipscript thinks.

shipscript · ‎12-19-2018

@evry1nositswindy

@berserkerplanet

The old legacy stores are still delivered over a "non-secure" http connection because most of the remaining legacy stores have custom pages or custom content that has not been updated to the new standards. Many of the custom stores still maintain designer made templates with stylesheets linked from external servers. eBay is not planning to deliver legacy pages over a "secure" connection because that would cause too much unnecessary work for all parties for a dead-end product, and would actually cause browsers to block the mixed content. Since there is nothing in a store that really needs a secure connection, there is no rush.

The new store format is both mobile friendly and delivered over a secure connection, and most store owners have been migrated to the new store format. All remaining store owners (those who still have legacy custom pages) must eventually migrate to the new store format. When that migration is complete, all stores will be delivered over a secure connection.

ShipScript has been an eBay Community volunteer since 2003, specializing in HTML, CSS, Scripts, Photos, Active Content, Technical Solutions, and online Seller Tools.

berserkerplanet · ‎12-20-2018

Thank you for the clarification and additional info.

I was pretty sure it was a legacy store format issue, but you summarized it far better than I did.