SECURE is a dangerous word in security.
As of July 2018, Google instituted a “non-secure” for HTTP websites and “secure” designation for websites that utilize HTTPS. Google has been warning website owners for years that they are moving to this identification of websites that don’t utilize HTTPS. They also stated that that your website ranking would be affected if you didn’t implement this security measure.
This is a good thing for most Internet users now because HTTPS is safer than HTTP. Secure connections are an important step in protecting users from a type of cyberattack called content injection or content spoofing. Content spoofing is when a hacker creates a fake website and passes it off as if it were the real website. The intent is to deceive people into entering their information to a site that is not truly the website they were going to. Content spoofing often works because it exploits an existing relationship between a user and organization. We probably have all received those emails asking us to reset our contact information at a bank or credit card company where we don’t even have an account. It only works if the user already has an existing relationship. Thus, the largest brands are typically used in these phishing attacks. There are many ways to inject content such as eavesdropping, data modification and man-in-the-middle attacks. Hackers can also perform SEO injections, spreading additional false messages through search engine spiders that index and craft URLs. With HTTPS, Google hopes to make this kind of malicious attack a thing of the past. As a business the process of getting HTTPS is relatively easy. I’m not going to cover how to in this article but simply call your hosting provider and they should be able to walk you through the process.
I believe the SECURE green bar designation of a website gives a false sense of security to the average Internet user. Just because the website is utilizing encryption does NOT mean that the website is safe or secure. In fact, numerous phishing attacks utilize HTTPS.
In a recent article by ThreatPost, they wrote about a rash of phishing attacks using HTTPS to con victims. Unfortunately, it’s so easy to get the HTTPS designation that companies offer it for free now. In the article it claims, “Last month, a report by The SSL Store said last year 15,270 free SSL certificates were issued to sites that contained the word “PayPal” in the domain name or the certificate identity. It claimed 97 percent were issued to phishing sites.” Website security has a multitude of issues to contend with to maintain security. The information flow between the user and the website being encrypted is one of those aspects.
There are many tools on the web that allow website developers to harden their sites.
One of the easiest tools to use on the net is Security Headers (https://securityheaders.com/)
Now, if I plug in a Fortune 500 company website, let’s see what we find out. I’m going to redact the company name for obvious reasons.
Looking deeper into their website, it shows numerous vulnerabilities.
Strict-Transport-Security. HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value: “strict-transport-security: max-age=31536000; includeSubDomains.”
Content-Security-Policy. Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
X-Frame-Options. X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value: “x-frame-options: SAMEORIGIN”.
X-XSS-Protection. X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value: “X-XSS-Protection: 1; mode=block.”
X-Content-Type-Options. X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is “X-Content-Type-Options: nosniff.”
Referrer-Policy. Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
Feature-Policy. Feature Policy is a new header that allows a site to control which features and APIs can be used in the browser.
Next, check if the site is listed with HSTS
HSTS preload list adds another layer of security since the site is hardcoded into some browsers as being HTTPS only. It’s an easy process to complete but dangerous if you have any HTTP content on your website. That content will no longer be indexed by Google. You want to really check all of your pages before submitting to Google. Once on the HSTS preload list, it’s difficult to remove if you made a mistake. So be careful before going to this extra step of security.
This form is used to submit domains for inclusion in Chrome’s HTTP Strict Transport Security (HSTS) preload list. This is a list of sites that are hardcoded into Chrome as being HTTPS only.
Error: No HSTS header Response error: No HSTS header is present on the response.
Error: HTTP redirects to www first`http://XXXXXX` (HTTP) should immediately redirect to `https://XXXXXX.com` (HTTPS) before adding the www subdomain. Right now, the first redirect is to `http://www.XXXX.com/`. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.
Lastly, I check if the website has deployed DNSSEC.
It’s another easy and good way to harden your site. Most of your hosting providers will offer this as an option for your website for a nominal fee.
Why is DNSSEC important? According to ICANN.org, full deployment of DNSSEC will ensure the end user is connecting to the actual website or other service corresponding to a particular domain name. Although this will not solve all the security problems of the Internet, it does protect a critical piece of it – the directory lookup – complementing other technologies such as SSL (HTTPS) that protect the “conversation,” and provides a platform for yet to be developed security improvements.
|No DS records found for XXXXX.com in the com zone|
|No DNSKEY records found|
|XXXXcom A RR has value 18.104.22.168.192|
|No RRSIGs found|
The HTTPS evolution will harden more websites from attacks but to claim it’s “SECURE” is not accurate. I applaud Google for pushing the Internet to implement HTTPS but I’m concerned we have given a false sense of security to our users. Just because your web browser says secure does not mean the site is secure.
Also, to my colleagues in the industry, we should be leading the charge on our own sites. Plug in your favorite security provider in the links in this article and I think you may be shocked to find out how vulnerable some of these companies are — I know I was.