93% Of Websites Fail To Meet Security Standard
Mozilla’s Observatory Tool Assess Website Security – And Many Fall Short.
April King, a security engineer at Mozilla, found that the vast majority of the world’s largest sites – 93.45% to be exact – are not implementing many modern security technologies which provide secure connections to their users and protect them from attacks such as cross-site scripting (CSS) and content injection.
The assessment of these sites was made by Mozilla’s own Observatory tool (which King designed). It conducts 11 different tests to see what security technologies a website is using, including HTTPS, HPKP (Key Pinning), CSP (Content Security Policy), and Subresource Integrity. It also scores sites on how well they use those technologies. Websites with sub-par configurations – like supporting HTTPS without automatically redirecting users – receive penalties.
King used her Observatory tool to automate scans of Alexa’s Top Million list, which ranks the world’s million largest websites. Her first scan took place in August 2016. To measure improvement, the Top Million were rechecked In October 2016, and again in June 2017. In the first scan 97.6% of sites failed the Observatory’s grading. Over the last 15 months, 42,000 websites have improved their security and no longer receive an F grade
While a 90%+ failure rate might make you feel like everything is terrible, the measured improvement is astounding. In fact, given that many of these technologies are new, and that integrating them into existing sites is so difficult, it’s encouraging to see adoption growing so quickly.
The number of B & C grades has risen by 207% and 330%, respectively. The number of sites receiving an A or A+ grade increased from 90 to 420. To receive an “A” grade you need to implement nearly every technology that the Observatory assesses.
The Mozilla Observatory has played a direct part in these improvements. King noted that 50,000 sites used the tool, made improvements, and then rechecked their grade to make sure they implemented the security measures correctly.
Failing the Observatory’s grading isn’t as bad as it sounds. Compared to similar tools, Observatory has higher standards and grades accordingly. For instance, without CSP, which is an incredibly important but also hard to implement technology, the best grade a website can get is a B+.
The Observatory tool has been used to scan more than 1.55 million different websites and assess their use of security technologies and protocols. While the prospect of receiving an F grade may be scary, it’s a great (and free!) way to learn about what technologies are out there and how your site could benefit from them.
No one – not even expert engineers like King – expect you to fix everything overnight. It took major websites like The New York Times two years just to deploy HTTPS across their entire site. So give your site a scan and see how you stack up!
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown