Amazon is moving to HTTPS everywhere in this June. The whole website is a complex machinery with multiple components and it takes time to move those components to HTTPS.
It is actually worse than that. Given an active attacker one can easily steal passwords using SSL stripping attacks. Ebay is also affected. Cookie stealing also works.<p>Pretty much every mixed http/https setup ("encrypt only the login") is broken.
I wonder if the lack of HTTPS during normal browsing is a deliberate choice (one motivated by testing) or if it's only like that out of legacy (preservation of URLs). It's difficult to imagine all of the possible issues they may know about that we don't, given their scale.<p>The author mentions that removing the ref parameter would be a solution to one of the problems discussed in the article but I put forward that they could also just encrypt the value for transmission and store the information in plain on the backend. If they won't move to HTTPS then that should solve at least one of the issues.
In an era where American ISPs charge extra to not spy on your non-encrypted traffic, it seems odd that Amazon doesn't care... improving the non-Amazon ads that you receive surely causes Amazon to lose money.
I had a scare regarding this a few days ago. I was searching for a Bose airline adapter on DuckDuckGo and clicked the top result without looking at the URL. [1] I ended up hitting some page on www.casselsonline.com that exactly mirrored Amazon's website right down to suggested items and everything. I didn't even notice I wasn't on amazon.ca until I went to sign in and found the certificate broken.<p>Couldn't find a place to report URLs on DDG, so I reported them to Google.<p>[1] These bad results still show in the index - <a href="https://duckduckgo.com/?q=bose%20airline%20adapter%20canada+site:www.casselsonline.com" rel="nofollow">https://duckduckgo.com/?q=bose%20airline%20adapter%20canada+...</a>
With an HTTP connection, it becomes easy for an attacker in the middle to prompt the user to re-enter their password and have it re-transmitted in the clear.<p>I'm surprised more attackers don't do this.