Security issues at the HP online store

Once upon a time, I set out to buy an HP Spectre x360 laptop. It didn't go well, and the issues I encountered offer a lesson in what to look for when making purchases online.

The first red flag went up when the computer was added to the shopping cart at hp.com. At least HP uses a secure shopping cart, many sites do not.

But, I immediately noticed that the cart uses a Domain Validation (DV) certificate. This was also true throughout the checkout process.

hp.order.no.ev.cert

Digital certificates are a large part of what makes a secure web page/site secure. A certificate is a file that the website provides the browser. Certificate files serve two main functions, encryption and authentication. Authentication, in this context, refers to the trust that store.hp.com really belongs to Hewlett-Packard.

Issuing digital certificates is a business, and judging by the many companies in it, a profitable one. The companies that issue certificates are called Certificate Authorities or CAs for short. There are different types of certificates, but the two most important are Domain Validation (DV) and Extended Validation (EV).

Domain Validation certificates are cheap, issued quickly and come with no practical trust. Extended Validation certificates cost more, take time to issue and are far more trustworthy.

The process of issuing a DV certificate is often automated. The "extended" validation inherent in an EV certificate takes a person time, so they cost more. How much more?

At both Thawte and GeoTrust, a DV certificate starts at $149/year, EV at $299. GlobalSign DV certificates start at $249/year, EV at $899. On the high side, Symantec DV certificates start at $399/year, EV at $995. DigiCert does not even issue DV certificates. Their cheapest option is a step up, an OV certificate for $175/year (EVs are $295). All five companies offer discounts if you sign up for more than one year.

Why pay more for an Extended Validation certificate?

Not for the encryption. Both DV and EV certificates support bad, average or excellent encryption.

Jason Sabin, Chief Security Officer at DigiCert, says

.... trust in today's web requires a strong assurance that the party we're communicating with or sending our personal details to really is the intended one. ... Free or automated, domain-only vetted SSL Certificates lower the barriers for cyber criminals and fraudsters to use SSL ... High-assurance EV certificates require stringent processes and third-party validation that makes it much more difficult for fraudsters to execute their schemes. 

In the case of HP, for example, the letters H and P in a domain name do not imply that the domain belongs to Hewlett-Packard. Anyone can pay a registrar (registrars are companies that register domain names) for a name such as hpstore.com, hponline.com, hewletpackard.com (missing a T), hpstore.net, hpshopping.com or hp-store.com.

Starting with a scam domain, such as hp-store.com, a bad guy can then buy a DV certificate for it. All that's needed is money and proof that you own the domain name. Proof that you are associated with HP is not required.

In contrast, only someone from Hewlett-Packard should be able to get an Extended Validation certificate for hp-store.com.

That said, the oil company Helmerich & Payne may also want to use hp-store.com. They could get an EV certificate for it, but they could not pose as the computer company because web browsers display the verified company name associated with an EV certificate.

With an EV certificate, Chrome 42 on Windows displays the company name in a green rectangle to the left of the URL. Contrast this with the screen shot above from the HP store. The example below clearly indicates that grc.com belongs to Gibson Research Corporation. Anyone looking for the Gordon Research Conferences should go to grc.org. 

grc.uses.ev2

By the way, I chose the HP examples off the top of my head. Later research showed that hpstore.com, hpstore.net and hpshopping.com do belong to Hewlett-Packard. hponline.com does not. Neither does hewletpackard.com (with the missing T). hp-store.com is the most interesting, it is registered to an anonymous person in Russia.

EV certificates matter. And yet, HP uses a DV certificate at their online store.

The HP store (store.hp.com) uses a certificate issued by GeoTrust. As noted above, they charge roughly $150/year more for an EV certificate compared to their DV certificates. Hewlett-Packard can't afford $150/year for their online store?  

HP is not alone, many companies that should know better are using DV rather an than EV certificates. Even Amazon.com uses a DV certificate in their checkout process (below). So too, does Best Buy. 

amazon.dv.cert

Citibank (shown below), Bank of America and JPMorgan Chase all use EV certificates on their home page

ev.cert.sample.ff.citi

Wells Fargo, however, uses a DV certificate on theirs. 

dv.cert.sample.ff.wellsfargo

Why are EV certificates snubbed by companies that should, or do, know better?

One guess is a lack of end user education. If your customers are not familiar with the different types of certificates, why pay more for extended validation?

Another guess is the inconsistent way browsers indicate the presence of an EV certificate.

Old timers may recall that Internet Explorer changed the entire address bar from white to green, a visual clue that was hard to miss. Sadly, neither Chrome, Firefox, Safari or Opera do that.

At the bottom of this page from DigiCert, you can see what EV certificates look like in five browsers. Maddeningly, each is different.

For example, Opera does not display the verified company name. Three browsers display the company name on the left, while Internet Explorer puts it on the right. All the browsers use green to indicate the extra safety of an EV certificate, but Firefox limits the green to the font used to display the company name, which is very easily missed (see Citibank example above). 

And, browsers change over time (the page with the examples is undated). Opera 28, now indicates EV certificates in a very different way. Safari on iOS also looks nothing like the Safari on OS X example.

ANOTHER SECURITY ISSUE

Web pages consist of many parts. One thing any secure (SSL/TLS/HTTPS) page should do, is to build itself using nothing but SSL/TLS. That is, every included resource (image, script, iframe, etc) should be fetched with HTTPS.

The HP store does not do this.

Firefox 37 indicates the problem with a white exclamation point inside a gray triangle. Clicking on the triangle produces the explanation shown below "The connection to this website is not fully secure because it contains unencrypted elements (such as images) or the encryption is not strong enough.

hp.order.notallssl


Chrome 42 has its own warning (below): "Your connection to store.hp.com is encrypted with obsolete cryptography. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page." 

hp.order.store.no.all.ssl


Internet Explorer 11 notes, at the bottom of the page, that only secure content is displayed and offers a gray button to "Show all content".

FORWARD SECRECY

Even if they are error-free and extra validated, many secure websites can still be spied on.

Rather than break the SSL/TLS encryption, spies only need to collect the secure pages (taken for granted at this point) and somehow obtain the key. Of course, there should not be a single key, yet there often is because websites fail to implement Perfect Forward Secrecy (PFS). I wrote about this back in June of 2013.

Forward Secrecy insures that every visit to a secure website uses a different encryption key. Without it, the same key is used for all visitors for years at a time. Using different keys all the time forces spies to break the encryption. Using a single key means that spies would only need to obtain one file every few years. 

Far too many sites ignore Perfect Forward Secrecy, including Apple, Best Buy, NewEgg, and Walmart. That said, when you make purchases at Amazon, Microsoft and Dell, you are protected by it.

To check if your favorite secure site uses Forward Secrecy head over to the excellent Qualys SSL Server Test. Their evaluation of store.hp.com, below, shows that it does not support Forward Secrecy. 

ssl.server.test.hpstore

Chrome users can also install the Netcraft extension. Firefox users can install the Netcraft Anti-Phishing Toolbar. Doing so would show, for example, that Citibank also fails to use Forward Secrecy. 

citi.no.pfs


CHECKOUT ISSUES

Needless to say the store checkout process requires credit card information. When you enter the expiration year for your credit card at the HP store, the drop-down list includes 2013 and 2014 as valid choices. Not a big thing, in and of itself, but it shows that no one is paying attention.

Finally, like any good store, HP pushes you to buy accessories for your new laptop computer. I needed one. The Spectre x360 lacks an Ethernet port, so I might have opted for a USB to Ethernet adapter - but it wasn't offered.

A later search found an HP branded adapter that works with their EliteBook line. No mention of the Spectre line however. Also missing are the speeds. Is it USB 2 or 3? Is the Ethernet Gigabit or not? Does it support Wake On LAN? Again, it seems as if no one is paying attention. 

All in all, the HP store struck me as surprisingly amateurish. And that was before my credit card was declined.

No big deal; HP says to call the credit card company, have them approve the purchase, then call them on the phone. I do all this, and speak to an HP person who sounds like they are on the other side of the world. Perhaps they are.

I have a hard time understanding what the person says. Long story short, the pending laptop order can not be revived, I have to start the ordering process from scratch.

This I do, but at BestBuy.com.

hp Spectre laptop in box

-----------

Updated May 6, 2015 to reflect the fact that DigiCert does not issue DV certificates.

Copyright © 2015 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon