Carnival Cruise Lines and Security
tl;dr: Carnival Cruise and American Airlines both have appallingly unprofessional web shops. While nominally secure (main page is delivered via HTTPS), neither appears secure in modern browsers and the console is littered with warnings. Terrible.
The Carnival Cruise Lines web site has a lot of useful information. It’s reasonably easy to find answers to almost any question you might have. Their security—and the security of partner web sites—is a mess, though. It’s not as bad as it could be, but it’s very unprofessional and made it difficult to trust their sites for ordering stuff. That the site is in this kind of shape and no-one complains shows that people aren’t as security-savvy as some surveys make them out to be.
For example, when you want to place an order directly with Carnival—for example, to order some bottled water to your room—the ordering web site appears to be insecure.
This is unprofessional because the main connection is secure. Your credit-card information will be submitted over a secure connection. The reason that browsers don’t think the page is secure is that almost all auxiliary resources—like images—are served over non-secure connections.
That this web shop made it through QA is a joke. Everyone from the developer on up should see that the green-lock icon doesn’t appear in any browser as it should (or at least not in Safari, Chrome or Opera). No browser should fail to warn the user of the shadiness of this site.
After examining the warnings in the console and verifying that the form would be submitted via HTTPS, I gave the go-ahead to use the form anyway. But this should be rectified ASAP.
As if that wasn’t bad enough, the American Airlines site’s “Secure” Checkout has the exact same problem.
Shouldn’t these big companies have this kind of stuff under control? What the hell is going on over there? Developing for the web isn’t exactly easy, but this is basic stuff. Fix it, Carnival and AA.