Payment Site for SketchUp Not HTTPS - Kinda Sketchy, SketchUp

So I wanted to purchase a Sketchup Pro subscription after my free trial ended (because I really liked the program and wanted to use it to render a potential kitchen remodel) and as soon as I got to the checkout / credit card page my browser alerted me that I wasn’t on an HTTPS site. Now, I’m not a tech genius by any stretch, but since I was old enough to buy anything online it has been instilled in me as a pretty basic measure of cyber security to never enter credit card information (or really any highly sensitive info like social security #, etc.) on a non-HTTPS site because your info is not encrypted and can possibly be intercepted. I brought this up to a sales person on a help submission and was casually told it’s not a real issue (???). I even googled this topic after to just make sure I wasn’t crazy and somehow making this up and the answer everywhere is a resounding NO, do NOT enter your cc info on a non-HTTPS site, it is not safe / smart. I really want to buy your product but at this point don’t really feel comfortable, PLEASE fix this problem or contact your payment handling site and have them fix it. Thanks.

This sounds odd. Https has been around for some time now. I’m wondering if the issue might have been caused by the page loading in some other asset from an external domain using http, e.g. a styleshtee, font or logo.

I have noticed that some graphics are from http, and that some browsers are set up to show an error for that, even if the rest of the page is https.

Jaime, I see your support case where you raise this issue, but I don’t see what happened to the case, it was redirected to a different team. I will check into what happened after that.

I was in fact told that it was a logo issue, which confused me because I thought the SketchUp site itself was https (though perhaps I am not understanding this issue correctly). I was also told this would be fixed in a few weeks once you launch reconfigured Sketchup SKUs. However, I’m kind of dismayed that this is an issue in the first place, and that I’m supposed to either ignore it / just trust that it’s the browsers / logos fault (I tried multiple browsers and they all had the same reaction) or wait a few weeks to get fixed. If you are selling a product to consumers online they shouldn’t have to do this much digging to figure out why the website handling their credit card info isn’t HTTPS, or be expected to simply ignore such basic cyber security warning signs. I was also given a few other options to process payment by the way, but it was conveyed to me that my information would just end up being entered by someone else on the same site, which didn’t really resolve my original concern. For now I will just wait I guess, but please fix this issue.

This aught to be fixed. The request for the logo could theoretically be intercepted by a third party that in turns extract data from the request. I’m not an expert on the matter but think the risk is low and that it couldn’t be used to inject code and e.g. steal credit card info, but I think it’s a deliberate and valid choice by web browser developers to mark a whole page as non-https even if it’s just a single asset that isn’t. Even if the risk is deemed to be zero, it is bad for the user experience.

1 Like

Mixed content is vulnerable and can used with man in the middle attacks.

2 Likes

If we are talking about this page it is absolutely safe to use:

https://ecom-prd.trimblepaas.com/

But it is showing “Not secure” because of poor coding on the page and one of the images being not the https liked:


http://www.sketchup.com/sites/www.sketchup.com/files/logos/SU_Icon.png

I am surprised it is still not fixed, I may report it to Trimble at some stage.

1 Like

Yes, I am also surprised and pretty disappointed that it still hasn’t been fixed / no one else from Sketchup has responded to the issue, esp. as been a few weeks since I first reported the problem (2 weeks ago on this thread and 5 weeks ago via a message to support on Sketchup’s website). Perhaps I should have just contacted Trimble?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.