Re: Don't shop at MileHighShooting.com - no HTTPS/SSL
The issue is not Chrome specific - look at the warnings on the certificate itself. That is not browser specific. Calling in an order would work fine.
Here are the solutions - I do work in internet operations as a Sr. Engineer so I know what I'm talking about, I deal with multi-million dollar ecommerce sites every day for work.
The certificate info that I pasted an image from specifically says "these resources can be viewed by others while in transit, and can be modified by an attacker to change the behavior of the page." - That is very insecure. The images and banners might not be secure (as one person said) but if you want to trust a certificate that isn't signed by known authorities... go ahead. Trusted authorities are a critical part of a secure infrastructure.
Plenty of online stores can get this stuff right - it's not rocket science. If you can't secure your site with a trusted certificate provider and secure the images and banners on your order page then your infrastructure is poorly designed and doesn't get my money. I'm not trying to hurt their business - this is easy to fix and if they do fix it I'll give them plenty of my money. That's what I was trying to do today but I'm not sending card details over the network if it's not 100% trusted.
1. They need a new certificate that supports TLS renegotiation
2. They need to fix their default port redirect when loading the credit card authorization page - it defaults to port 80 instead of 443.
3. They specifically need a certificate that is signed by a known authority (like Thawte or Verisign) as seen in the following dialog when running "certificate details":
I'm sure the company is a great bunch of people and stand up place to shop when you call them - but I'll never shop on their online store until this is fixed. If you want your card details leaked / logged by unauthorized people watching the network traffic then by all means shop at their online store, but it's asking for trouble.
It's the internet equivalent of going to a store in town and handing them your card, and instead of them running it through a machine from VISA they run it through a home made card reader and promising that everything is ok. It's not ok and it's not secure. You either get this stuff 100% correct or you fail at designing an ecommerce solution.
Feel free to disagree or say I'm a novice but these are facts of internet transaction processing and they're doing it wrong.