If you have read my past articles, you may have noticed that I am a little annoyed by the low number of e-commerce sites using HTTPS encryption to protect their customers. While most do use encryption for payments, usually that is because they use the services of a payment processor, and because using encryption for the payment info submission pages is required by the credit card companies. As far as I can tell, very few e-commerce sites use encryption for displaying the shopping cart, collecting customer information about name and address, or the customer login, although I have an impression that larger e-commerce companies are better at this than smaller ones.
In the past few weeks I may have discovered a possible clue to why this is happening: Computer security and encryption does not appear to be a topic of concern at major E-commerce industry conventions.
I first noticed this when I became aware of a Norwegian e-commerce convention in February, E-Commerce Norway 2015. I quickly looked at its agenda and exhibitors list, and none of topics for the keynote speakers mentioned security, and the most security related exhibitor I found seemed to only market physical security for brick-and-mortar shops, which is not very e-commerce-related in my opinion. I was not able to find any mention of security consultancy companies or certificate authorities, not even any of the Norwegian ones.
This could just be a regional convention fluke, but my initial feeling was that such conventions will follow templates defined by larger international conventions; if a topic is covered by a major convention the smaller ones “have” to include it, and if it wasn’t covered, then it is not included by the smaller conventions.
I proceeded to check three major US e-commerce conventions, and based on the available information on their sites (information that did not require registration) none of them covered security in any broader fashion than the Norwegian convention, although one did have an empty exhibitor category for “Internet security”.
In Europe the situation was similar, at most including fraud as a topic (which essentially means protecting the e-commerce company against losses, not the customer), with the major difference being the Interop London 2015 convention (previously named “Internet World”), which is co-located with a “Black Hat Security Zone” and IFSec International convention in the same venue.
Although such co-location is good, in my opinion it would be much better if the exhibits and programs were combined into a single event, or at least that each event include relevant exhibits and speakers from the other conferences, creating a possibility for a better exchange of ideas and information.
While InterOp London did improve the picture compared to how it looked initially, I still get the impression that the e-commerce conventions do not properly cover customer online transaction security and privacy, and I believe that this topic should be integrated into the conventions, and not be an add-on in a separate convention.
If my impression is correct, what caused the problem? My guess is that it could be due to a combination of several factors: Encryption is still considered very technical and for the specially interested, and is probably outside the area many web designers and backend implementors consider their area of responsibility, possibly leaving no-one considering security in smaller organizations. Those designers and developers are the ones who, along with managers, would likely go to e-commerce conventions and do presentations there. The resulting lack of security related program items and exhibitions might result in fewer security professionals attending those conventions. Add to this that security and security related conventions may have a “only hackers go there” reputation, discouraging the e-commerce developers from attending, and we might get a self-reinforcing loop creating significant distance between the e-commerce and security communities.
To fix this problem I would suggest that the CA Security Council, as well as individual Certificate Authorities and security consultants should start attending e-commerce conventions as both speakers and exhibitors.