eBay

clu3 · ‎04-14-2018

I'm finding some pages under the My eBay header to load insecure pages, i.e. http vs https. This happens in both IE11 and Firefox. The pages are My eBay, Summary, Recently Viewed, and Selling.

The page source shows those pages as DOC TYPE html PUBLIC vs. DOC TYPE html.

My workaround has been to change http to https in my address and save a bookmark, but it would be convenient to use the menu. I've contacted @askebay on Twitter but nothing has changed.

mecheng · ‎04-14-2018

I'm also using IE right now and all "my eBay" pages show as secure.

berserkerplanet · ‎04-14-2018

The document type declarations have nothing to do with security or HTTP vs HTTPS. They are just indicators of the HTML version abd intended HTML standards for the browser rendering engine to use for page layout to conform with what the page author had in mind.

Yes, My eBay menu links are insecure HTTP links - eBay hasn't gotten around to fixing that yet.

In Firefox, you could use some thing like the Redirector addon to create a redirection rule(s) to change the HTTP links to HTTPS links when a page loads, and there are other things like HTTPS Everywhere for Firefox, Firefox/Android, Chrome, and Opera and probably others. No idea if anything similar can be done with IE 11 (but don't think so).

I don't worry about it. I doubt hackers are mounting man in the middle attacks on my internet connection to obtain my eBay login password.

Assuming there were any drive-by or XSS type attacks that could somehow leverage the HTTP situation, that can be mitigated by running an adblocker to stop potential malicious content from unvetted ad networks (and annoying ads in general), using that browser instance for only eBay. PayPal, and other controlled website visitations, and using another browser or browser instance for other business (cat videos, and visiting less safe corners of the internet)

(But now that you pointed it out, and got me thinking about it, I'll probably go ahead and fix it up here with Redirector)

My main eBay Firefox browser only visits eBay, PayPal, USPS.com, FedEx.com, UPS.com, and Craigslist, is sandboxed, has no plugins (like Flash), is tightly locked down using Noscript, cookie managers, Adblock Plus, a proxy, and 50000 blocked domains in a Windows HOSTS file . That means it doesn't go anywhere there could be ick, and if somehow it runs into something nefarious on one of the trusted sites, the nefarious content can't run any scripts, leave cookies, etc (unless the website - such as eBay - is totally pwned by the attackers and then it's over anyway). Approach pretty much neuters anything I haven't manually whitelisted.