How to decide whether an eshop is safe or compromised

On eu-store.wacom.com, some images from their Amazon CDN are requested over http instead of https. This can be solved by installing HTTPS Everywhere and turning on "Encrypt All Sites Eligible":

enter image description here

The gray padlock means all resources are served securely. So the webstore is most likely not compromised. They are still using an outdated cipher based on CBC and SHA1, so a nation-state power might still be able to intercept or even MITM the connection.


My questions are, why is this inconsistency happening

This is known as mixed-content,where the page is loaded with HTTPS,while some parts(images) are loaded via Insecure HTTP.

how can I verify that the store page is indeed wacom's

As long as your system has not been compromised then the only way is to use HTTPS everywhere and visit the correct URL or else the HTTP can be MITM and the response returned could itself be a phishing page.


NOTE:-This answer ignores all the other web/browser vulnerabilities.

is it safe for me to purchase stuff with my card through it?

Well they probably redirect you to a different website when its time to pay which might use HTTPS.Apart from that images can be tampered with in a MITM situation.The most an attacker can do is

Attackers may be able to manipulate parts of the page, for example, by displaying misleading or inappropriate content, but they should not be able to steal your personal data from the site.


On eu-store.wacom.com, some images from their Amazon CDN are requested over http instead of https

Let me continue from that. Firefox says it's not 100% secure because it's loading unprotected content. I would say, naively... it's 95% secure

Now, it doesn't mean the site wacom.com is not legitimate, but perhaps misconfigured. If you buy today from that site, it's not likely that you are paying a scammer pretending to be Wacom, but see later.

On the contrary, unprotected content served over http can be a danger to Wacom themselves who did not configure their store correctly.

Apart from what government-level attackers can do, here are some examples of what a real attacker can do on a MitM attack over plain old http:

  • Images served over http may display something else than the product you are going to buy
  • Javascript (and possibly CSS) served over http can be altered and cause any possible harm, including sniffing your credit card number
  • Iframes served over http can be altered and cause a number of damages, but probably not sniff your CC number (correct me if I am wrong)

Of course I am speaking from a more protocol-theoretical PoV.

So...

how can I verify that the store page is indeed wacom's?

Yes, they are them. The site is not compromised, but vulnerable

is it safe for me to purchase stuff with my card through it

Probably from your home network. I would always avoid sensitive browsing over public wifis or Tor without proper encryption