Home Shop Visit Cart

Phalse Phishing Phear
27 January 2008


Hi,

I decided to purchase a half pound of coffee from you to see if I liked it. After selecting "add to cart" my Norton Antivirus program alerted me that your website may be a "Phishing" website and would not let me proceed. Is there some way you can verify your web site through some program or service that would present it as a valid website? (so I don't get a warning)

I have sent you this e-mail through a disposable e-mail address in case my Norton is correct.

I don't expect a reply. I'll just check your website again in about a month

Thank you, Ron

Of course the worries in the above email are totally unfounded.  Kona Earth is a legitimate business and we have done everything we can to make our website as secure and professional as possible.  There is nothing we can do to stop the false alarms displayed by some security software.  It is very frustrating for us to work so hard creating a legitimate business just to have it unfairly blocked for no good reason.  It is scary to think of how much business we have lost because of "security" software like this.  I'm sure this is not the first or last time we've lost business and I'm sure Kona Earth is not the only legitimate business being blocked.

In case you're not familiar with the term, phishing is when a fraudulent entity imitates a legitimate entity in an attempt to gain sensitive information.  The most common example is a phishing email that says something like "Click here to verify your account info."  The email link may look valid but will take you to a fraudulent website.  Being tricked by a clever email is one thing, going to a fake website on your own is far less likely.

Norton Ron, the sender of the above email, found our website through a search engine.  He browsed around the website some, including a couple of the blog entries which have pictures of our kids.  He went to the Shop page next and picked out some coffee he wanted to buy but when he tried to add it to the shopping cart his Norton "security" software popped up and warned him that Kona Earth might be a phishing website.

I'd like to think that at this point most people would say to themselves "Kona Earth isn't a phishing website.  A phishing website wouldn't have pictures of that farmer dude and his kids.  My silly security software must be lying to me again."

The trouble with "security" software is that it often creates more problems than it solves.  It slows your system horribly, eats up valuable hard drive space, creates all sorts of false alarms and is generally a big pain in the neck.  Even if you have the latest version of Norton installed it is still quite easy to download viruses or upload sensitive information.

Nun The "security" software industry is very analogous to airline "security" provided by the TSA.  The TSA will touch women's breasts, confiscate your toothpaste and lie to you about needing to show your ID while still allowing weapons on board airplanes.  The TSA provides security theater, not real security.

Prior to 9/11 we had all been trained that if there was ever a hijacking we were supposed to sit quietly in our seats and allow the authorities to handle the situation.  The 9/11 hijackings were performed with box cutter knives.  Now, if there is ever a hijacking again, future hijackers will need a lot more weaponry than tiny knives.  Airline security is an important issue, I just don't think the TSA is the best answer.

Internet security is similar.  There are plenty of ways for dishonest people to abuse the Internet and you can't rely on someone else to protect you.  Most people have learned to not open unknown email attachments or click on suspicious links that ask for personal information.  Many people have even learned that the 's' in https means the website is using SSL security.  A little knowledge and common sense does a much better job of providing security than any third-party software ever can.

My specific problem stems from the fact that the Kona Earth website does not have its own SSL certificate.  (UPDATE: We do now have our own SSL certificate so a URL redirect is no longer necessary.)  Most small businesses use shared SSL certificates, it is a well known and accepted practice.  Using a shared SSL certificate means that when browsing the Kona Earth website your browser will show KonaEarth.com as the domain but when you add something to your shopping cart it will show https://s.p5.hostingprod.com/@www.KonaEarth.com/... as the domain.  This is because the SSL certificate we use is owned by Yahoo! which requires the domain redirection to their SSL servers.

The obvious solution is to get our own SSL certificate.  SSL certificates are not cheap and would not be cost effective for us.  Very few small businesses have their own SSL certificate.  Many small business barely understand how to make changes to their website and are totally ignorant of things such as SSL certificates and server redirects.  Expecting every website to get its own certificate is not realistic and would create problems of its own.  Symantec (i.e. Norton) and McAfee understand all of this and their software should behave accordingly.  But it doesn't.

The "security" software industry has different motives.  Symantec does not make money if their software sits there quietly, they sell far more products if their software displays lots of warnings and feeds people's worries.  Anti-virus software comes pre-installed on many computers and is more difficult to uninstall than AOL.  The software takes over your computer and looks for any possible threat, real or imagined, then doesn't hesitate to cry wolf.  Feeding the public's paranoia is good for business.  It's like overzealous TSA agents confiscating bottled water and arresting anybody that looks foreign just to show that they're doing their job.

URL

Kona Earth uses Yahoo! as a service provider.  Yahoo! is no novice to the Internet industry and they certainly understand the troubles with phishing.  Unfortunately Yahoo! has done very little to help small businesses with this issue.  Yahoo!'s help center suggests using frames or subdomains to hide the redirect.  This would hide the SSL lock icon and make the problem worse instead of better.

I have tried to contact both Symantec and Yahoo! but so far only Yahoo! has responded.  It took a few tries but I actually managed to get someone on the phone that had a clue.  Surprisingly, he spoke perfect English and quickly understood the problem.  He even admitted that he gets several phone calls per month about the same thing.  He then went on to say that there was nothing Yahoo! could do and the SSL redirect is just the way their servers work.

I doubt I will ever hear from Symantec.  I wish I could get Symantec to be a little more responsible about issuing false warnings but I suspect they will only get worse, not better.  This problem is absolutely costing me sales.  I'm sure there are thousands of small businesses losing sales every day because of Symantec.  Most small businesses don't realize they are losing money but that doesn't excuse Symantec.  If I wasn't so averse to lawyers I might be tempted to think that this issue is prime for a class action lawsuit.

I wish I could reassure Ron and others like him that Kona Earth's website is legitimate.  I emailed Ron but he gave me a disposable address that he uses for spam so he will probably never receive my email.  I'm sure there are many others like him that don't even bother to email.

It's fine if customers don't want to use our shopping cart, they can email us or call us or even visit the farm.  Our privacy policy, shipping policy, return policy and new anti-phishing policy all state our contact information.  The bottom of every page shows our email information.  We use SSL security and our shopping cart is as safe as we can make it.  We don't know what else to do.

Cartoon




Previous Index Next


Kona coffee HomeShopVisit • Life
RegisterSign InShopping Cart
Site MapContact Us
© Copyright 2005-14 - All rights reserved.