Team-BHP (https://www.team-bhp.com/forum/)

-   Shifting gears (https://www.team-bhp.com/forum/shifting-gears/)

-   -   The Online Shopping Thread (https://www.team-bhp.com/forum/shifting-gears/22122-online-shopping-thread-444.html)

Hello friends,

Have any of you guys ever shopped from the Wonderchef online store? Are they reliable? The reason I'm asking is that the thing I'm planning to buy is not available elsewhere. Thanks for any help.
.

Lot of well to do people have ordered clothing on Amazon, used it for functions and returned it before the return period.

Although they should not completely eliminate the return policy but can atleast reduce the number of days.

I beg to disagree. If you are collecting sensitive information in your site you will need to fork out money to obtain EV certificate from proper authority. I will quote the checks they will perform before they issue your SSL certificate:

1. Make sure you’re a legal entity, registered officially e.g. LLC (US), Ltd. (UK), Pty. Ltd. (AUS), GmbH (Germany).
2. Verify you have a legitimate place of business which will be included in your EV Certificate i.e. your listed physical address is not a mail drop, P.O. box or third party address.
3. Call you using your publicly listed phone number to make sure it’s active. And the person who signs the SSL contract must be a full-time employee.
4. Verify your operational existence, meaning a check into official records confirming your business is financially and commercially active.


The first step any potential buyer will look for is credibility. The EV Green lock establishes that you are what you claim you are. I wouldn't trust a free SSL when I am asked to pay for a product or service from that site. Let's Encrypt was basically intended for all non commercial sites - never for ecommerce sites.

Let's encrypt issues a SSL certificate to any site requesting for it. There is no checking about the ownership or address verification.

All that EV certificates "from proper authorities" achieve is a lighter bank balance. Which is why pretty much all important players (Google, Mozilla, Apple - to name a few) have chosen to ignore them. Here is a screenshot from my computer. Tell me, which of these 4 sites are using EV certificates? Where is the green lock you talk about? This is state of affairs in the browser that has 70% market share.



It is not just me; it is industry observers with a lot more credibility that say this.

All the much-vaunted EV verification can be bypassed. It is all trivial. The whole EV concept was simply a money-grab exercise to which browser & policy makers got wise soon enough.

Here's Troy Hunt saying essentially the same thing, a year+ back:

https://www.troyhunt.com/extended-va...y-really-dead/

Edit: In the screenshot above, HDFC Bank's site is using an EV certificate. None of the others are.

I don't understand why we need to have this argument. The accepted best industry practices expect an ecommerce/financial companies of repute to buy an EV SSL certificate. If I start an ecommerce site, somebody of industrial standing has to say something positive about my company to establish some basic credibility. We don't run companies like Google, Apple or Microsoft.

EV verification process is not trivial. It took me nearly 2 months to get one for a client. The EV certificate's Green lock with the company name has been relegated to the Information box from the address bar. And the ICICI bank site you show is the first screen. When you select the option of Corporate/Personal Login part, it will take you to the primary banking section protected by the EV SSL as shown here:

The whole point is, a few years back what you are saying was indeed considered a best practice (say, till 2016 or so), but it is no longer the case.

No EV examples (quick check):

* Ecommerce: Flipkart.com, Amazon.in, Swiggy.com.

* Finance: Hdfcsec.com, LicIndia.in, Paytm.com, incometaxindiaefiling.gov.in

* Other important sites: uidai.gov.in, digilocker.gov.in, pmcares.gov.in (this is on Let's Encrypt)

Not enough people do all those steps to verify the EV-ness of the certificate rendering the whole thing meaningless. Hence the obsolescence. EV as it is currently defined is dead.

From the site owner perspective there is no ROI is spending that much extra and going through those additional hoops to get an EV cert. So as and when existing EV certs expire they will get replaced with non-EV equivalents.

From the end user perspective, most of us didn't bother with whether the site was on EV or not, so it is an irrelevant detail.

From the issuer perspective - yes, there is a loss of revenue and for good reason. You can't fool all the people all the time.

That's all to it.

Ordered ASUS Laptop (ASUS VivoBook 14 M409DA-EK147T) which was needed for general usage (no gaming or heavy graphics work involved). It was ordered on 17th through Amazon.

* Delivery Date initially was 20-Oct on the date of ordering
* It got changed to 20 to 24 Oct on the next day
* Today, it's 21-Oct and still it's in "Preparing for Dispatch" status

I never had this experience from Amazon. Their initial delivery estimates were always on the dot.

Is anyone else experiencing similar slippages in deliver timelines?

When I booked my iPhone 11 on 16th , the delivery date was shown as 24th October, but it arrived much ahead of schedule on 18th! While on the other hand, 32gb pen drive which was booked on 18th is yet to be dispatched.

At the risk of going OT, a few points I wanted to add:

1. All vallid SSL certificates (EV,DV,OV) offer the same industry-standard encryption strength. You do not get more protection from EV than DV—it’s exactly the same.

2. The only differentiating factor is that in the case of EV you can be certain that the URL (website) opened by you is being served by the intended provider protecting you from phishing provided you make sure to check the SSL certificate of each and every website you visit.

3. An EV certificate does not guarantee that the company you are dealing with isnt shady. An EV SSL valid for 3m/6m/1 year will continue to show the so called green bar, even if the physical company goes under the bus for whatever reason after the certificate was issued.

4. Regular SSL certificates should be enough as long as the eCommerce website does not accept card payemnts directly on its website. Usually all such payments are routed to a 3rd party payment gateway provider where the actual transaction takes place and the transaction details are then passed on to the ecommerce website. (This might not apply for the bigger players like amazon, flipkart etc)

5. A few references:
https://www.flipkart.com : Uses DV
https://www.amazon.in : Uses DV
https://www.onlinesbi.com : Uses EV
https://www.icicibank.com : Uses DV
https://infinity.icicibank.com : Uses OV


NOTE:
EV: Extended Validated (green bar, business name)
OV: Oraganization Validated (no green bar, only business name)
DV: Domain Validated (no green bar, no business name)

No disrespect meant to any of the views mentioned above, I just wanted to share what I know. Do let me know if I have got anything wrong above, i'm no expert either.

Regards,
Anoop

Security-wise EV doesn't offer anything extra than DV.
DV + red-tape = EV.

Amazon delivered an empty bottle of Arielmatic liquid detergent (Ordered during the Sale). I got so offended (Felt like a fool, opening the big carton and seeing the singular empty bottle inside). Gave them a piece of my mind over the phone and got my money back

Recently I ordered a exide UPS 1050va and a 42amp smf battery. The UPS came with broken warranty seal and battery was cracked with positive terminal bent (probably due to a fall). For the UPS they accepted the return, but for the battery they are investigating the matter and would give a resolution by tomorrow.

Was it a "Fulfilled by Amazon" order? Who was the seller in any case, if I may ask?

I almost exclusively place only "Fulfilled by Amazon" orders, and even so, mostly from Cloudtail or Appario, -- or only if the seller is a highly rated big name one. Similar policy for Flipkart purchases too ("fAssured"). Thankfully, so far haven't faced anything like what you have above!


Which e-commerce site did you order from?


How can the seller deny a clear mistake when the "serial number" on the invoice was not even a legitimate one (only 2 characters instead of the expected 14) ?! -- Again, was it an "fAssured" order?
.

Sold by Cloudtail and fulfilled by Amazon, unfortunately

I am not sure if this is a new scam, but it happened yesterday.

My wife have ordered some lip balms through Amazon few days back. Yesterday she received a call from a courier guy saying he is in front of the house to deliver and it is in COD mode. Wife could not suddenly recall whether she made the online payment earlier or by COD, because in the hurry to pick it up, she did not realize and then paid and collected it.

After opening it up, she realized it is not from Amazon not the lip balm what she ordered. She also verified that her actual Amazon order was already paid and is in process. And this new parcel came from some Sonali in Delhi. No address, no nothing and the product was some cheap lip balms.

Looks like we are fooled. So does this mean that our data from Amazon has been leaked to some third party like this.

Ridiculous!