- \n
- 32% of US companies and 16% of European companies received failing grades for their SSL\/TLS implementations.<\/li>\n
- Only around 15% of the companies had an SSL\/TLS configuration that was compliant with current PCI DSS requirements.<\/li>\n
- 45% of US companies and 30% of European companies have at least one invalid SSL\/TLS certificate.<\/li>\n
- Only around 84% of companies are compliant with Article 32 of the GDPR.<\/li>\n<\/ul>\n
There\u2019s a lot to unpack from this report, some of it is quality information while other parts may be a little less reliable because of some questionable methodology. We\u2019ll have to parse it to see what\u2019s what.<\/p>\n
Let\u2019s hash it out\u2026<\/span><\/p>\n
A Quick Word About Methodology<\/h2>\n
Let\u2019s start at the top. Applicable though the quote may be<\/a>, I\u2019m not sure starting any kind of report by paying homage to the \u201cwisdom\u201d of Donald Rumsfeld \u2013 the former US Secretary of Defense who gained infamy for overseeing America\u2019s use of \u201cenhanced interrogation techniques<\/a>,\u201d (a less charitable term would be torture, which is a war crime) following the invasions of Afghanistan and Iraq \u2013 is really appropriate.<\/p>\n
![\"Web](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/10\/bigstock-199313803-300x300.jpg\")
But hey, you do you, High-Tech Bridge.<\/p>\nAs far as the methodology behind the report, there are a couple of things that we need to consider up front because they do bear an influence over some of the findings. High-Tech Bridge used the Financial Times top 500 lists for the United States and Europe, scanning those 1,000 companies. Now come the declarations:<\/p>\n
- \n
- High-Tech Bridge sells a suite of scanner software called ImmuniWeb<\/a>.<\/li>\n
- High-Tech Bridge uses its own grading system<\/a> as opposed to a more neutral third-party one like SSL Labs.<\/li>\n<\/ul>\n
Now, neither of these things is disqualifying, but it does represent a conflict of interest that is worth keeping in the back of your mind. The report also makes use of several terms that are worth defining as they can help inform some of the data we\u2019re going to look at in a moment:<\/p>\n
- \n
- Shadow IT<\/strong> \u2013 This refers to assets that are created organizationally and serve a legitimate purpose, but were built or implemented without proper coordination with other parties. This is a term that we\u2019re very familiar with at The SSL Store given the fact that SSL certificates are among the most common Shadow IT assets. A company is building a new website, the dev team slaps an SSL certificate on it without coordinating with IT and the Security team, then when it expires in a year or two, things break and they call us. Happens all the time.<\/li>\n
- Legacy IT<\/strong> \u2013 This refers to assets that were either built or procured a long time ago and can no longer be properly maintained. This is another area we deal with a lot, a lot of organizations, particularly in healthcare, use older devices \u2013 some of which have even had their vendor support deprecated \u2013 that can\u2019t use modern encryption protocols or SHA-2.<\/li>\n
- Abandoned IT<\/strong> \u2013 This one is the most self-explanatory. These are legitimate websites and applications that have just been abandoned or forgotten. A great example of this would be brendanfraser.com<\/a>, the website for actor Brendan Fraser that clearly hasn\u2019t been updated since at least 2005 and requires Flash 7 (we\u2019re in the 30s now) to run properly. (And don\u2019t act like you didn\u2019t just click and slurp up some of that old Geocities-flavored early-internet nostalgia.)<\/li>\n<\/ul>\n
Now let\u2019s delve into the study a little bit.<\/p>\n<\/span><\/span>\n
What Is an External Web Application?<\/h2>\n
Let\u2019s start out by defining what a web application is. I realize the vast majority of you are already well-versed on this, but not everyone is. And Web application is one of those terms that kind of has a hazy definition. It\u2019s defined different ways by different companies and organizations, so my definition may be a little bit different than other companies\u2019. Generally though, a website is a set of documents or pages that are hyperlinked together. A web application is more like a program, it typically serves a particular function or action.<\/p>\n
That can seem a little abstract so let\u2019s use some examples. Let\u2019s look at our website<\/a>. The website itself is a collection of pages that are hyperlinked together. But on those pages are web applications that allow you to search for content, put items in your shopping cart or interact with the user control panel.<\/p>\n
So how prevalent are web applications? When High-Tech Bridge scanned the US and European FT 500, it found 293,512 external systems that were accessible from the internet, 42,549 of which were live web applications. Europe has less than half that, with an attack surface of 112,750 external systems, of which 22,162 are web applications.<\/p>\n
![\"Attack](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/10\/Attack-Surface.png\")
<\/p>\nHigh-Tech Bridge found that each US company had an average of 85.1 web applications that are accessible by the internet and that aren\u2019t protected by:<\/p>\n
2FA, strong authentication or other security controls aimed to reduce application accessibility to untrusted parties…<\/p><\/blockquote>\n
That number was 44.3 for European companies.<\/p>\n
Now, that\u2019s a staggering figure and it probably needs to be laid out with a little bit more context. Without the raw data it\u2019s hard to really piece together an accurate picture. Kind of like trying to discern the real value of an NFL contract<\/a>.<\/p>\n
While HTB only counted unique, live web applications \u2013 disregarding redirects, default installation pages and HTTP errors \u2013 it doesn\u2019t seem as though it did anything else to categorize those web apps. Not every single web app needs to be secured the same way and it\u2019s unclear how the study adjusted for a lot of these different variables.<\/p>\n
Let\u2019s move on to the areas that are a little more germane to our area of focus\u2026<\/p>\n
32% of US Companies Receive a Failing Grade For Their SSL\/TLS Implementations<\/h2>\n
This is a very eye-catching statistic, and it certainly points to the need for more companies to understand SSL\/TLS and PKI so that they can make better decisions about their configurations and implementations, but as we discussed earlier, High-Tech Bridge is operating on its own grading rubric.<\/p>\n
Again, there\u2019s nothing wrong with this. This is the grading system that its ImmuniWeb SSLScan uses<\/a>, and for what it\u2019s worth it can be used to check for PCI DSS and HIPAA compliance and a whole range of other good things, but, it comes with a few caveats. The obvious comparison is Qualys\u2019 SSL Labs<\/a>. That has a grading scale with clearly defined meanings<\/a>:
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/10\/Scanner-Icon-e1540500854240-300x300.jpg\")
<\/p>\nA+ – exceptional configuration
\nA – strong commercial security
\nB – adequate security with modern clients, with older and potentially obsolete crypto used with older clients; potentially smaller configuration problems
\nC – obsolete configuration, uses obsolete crypto with modern clients; potentially bigger configuration problems
\nD – configuration with security issues that are typically difficult or unlikely to be exploited, but can and should be addressed
\nE \u2013 unused
\nF – exploitable and\/or patchable problems, misconfigured server, insecure protocols, etc<\/p><\/blockquote>\nThat same information isn\u2019t provided by HTB. There is also no D on the grading scale. As a proud former straight-D student this offends my sensibilities.<\/p>\n
Jokes aside, there are also a couple of questionable bonuses, specifically. The first is for Extended Validation. EV is absolutely the best way to assert identity on a website, but in terms of the improvement to security it provides\u2014that\u2019s contingent upon the additional trust asserting identity can provide. EV SSL doesn\u2019t provide encryption that\u2019s any stronger than OV or DV SSL. So you be the judge of whether or not that\u2019s worth ten points. Also, TLS_Fallback_SCSV was designed to prevent Man-in-the-Middle attacks when negotiating what TLS version to use, but now that best practice is to deprecate support for SSL 3.0 and TLS 1.0, SSL Labs is thinking about removing it from its criteria entirely, so a 10 point bonus for supporting it seems a little bit questionable, too.<\/p>\n
Basically, if a company had an up-to-date configuration its server received an A while companies with bad configurations got hit with multiple penalties (many of them redundant) and ended up with a big F.<\/p>\n
![\"Results](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/10\/ImmuniWeb-SSL-Grades.png\")
<\/p>\nLet\u2019s compare that with the figures produced by Qualys\u2019 SSL pulse, using data from its SSL Labs scans of the Alexa most popular lists.<\/p>\n
Granted, this isn\u2019t a 1:1 comparison, but it still gives you a rough idea of how the two vary.<\/p>\n
![\"SSL](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/10\/SSL-Labs-SSL-Grades.png\")
<\/p>\nSSL Labs really does have a D grade, it\u2019s just apparently really difficult to achieve\u2014to the point where the percentage of websites that received it is negligible and I haven’t included it in the graph (this also offended my D-student sensibilities).<\/p>\n
The real takeaway from these scans is the fact that 7.82% of the US companies scanned and 5.15% of the European ones still have support for SSL 3.0 enabled.<\/strong> That\u2019s pretty inexcusable and should have been handled four years ago.<\/p>\n
Also of note, 35.2% of US companies and 24% of European companies have at least two servers with an exploitable SSL\/TLS vulnerability<\/strong>.<\/p>\n
The Last PCI DSS Deadline Maybe Didn\u2019t Go So Well\u2026<\/h2>\n
One of the other interesting findings from High-Tech Bridge\u2019s report was the number of companies that still haven\u2019t fully complied with the latest PCI DSS deadline to remove support for TLS 1.0<\/a>. It was also advised that TLS 1.1 be deprecated as well, though that wasn\u2019t mandatory.<\/p>\n
The scans found that just 16.4% of US companies and just 14.7% of European companies had server configurations that were compliant with requirements 2.3 and 4.1 of the most recent PCI DSS regulations.<\/p>\n
2.3 requires companies to secure their administrative access points and 4.1 requires them to encrypt Payment Card Information as it\u2019s being transmitted. Pretty much all of this was a result of companies not deprecating TLS 1.0 support yet.<\/p>\n
![\"PCI](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/10\/PCI-DSS-Compliance.png\")
<\/p>\nGDPR Compliance \u2013 Another Thing That Doesn\u2019t Seem to be Going Well\u2026<\/h2>\n
The GDPR headaches have only just begun. We\u2019ve written about it ad nauseum<\/a>, everything from best practices<\/a> to how to train your support staff<\/a>\u2014we\u2019ve covered it<\/a>. Recently we reported that the European Privacy chief, who helps oversee and coordinate the various Data Protection Agencies in the EU, said penalties will be incoming by the end of the year<\/a>.<\/p>\n
They DPAs are going to be busy, too. At least if the HTB report is any indication. 16.2% of US companies have at least two active web applications that process personal data and are either running outdated SSL\/TLS implementations or have an unpatched vulnerability in their CMS. 15.4% of European companies can say the same.<\/p>\n
This is a violation of Article 32 of the GDPR<\/a>, which outlines the appropriate technical safeguards.<\/p>\n
![\"GDPR](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/10\/GDPR-Compliance.png\")
<\/p>\nThe report also added:<\/p>\n
Numbers of non-compliant web applications may likely be much higher, but it is impossible to say how many of the outdated and vulnerable websites actually process or store PII without conducting intrusive tests.<\/p><\/blockquote>\n
Trusted SSL Certificate Usage<\/h2>\n
This is the part of the study where I have some legitimate questions about methodology and part of the problem is the way that the information is being presented.<\/p>\n
The US companies have 45.1% invalid SSL certificates because of untrusted Certificate Authority (CA), expiration or issuance for a different domain name. Untrusted CAs include the distrusted Symantec KPI [sic] legacy certificates. The European companies come out with much better results of \u201cjust\u201d 28.9% invalid certificates.<\/p><\/blockquote>\n
A few things, first off this is not attributable to the Symantec distrust. DigiCert has pretty much gotten that handled<\/a>, when Mozilla pushed back its deadline earlier this month the number of websites in the Alexa Top 10,000 with an ill-fated Symantec certificate installed was less than 1%<\/a>.<\/p>\n
![\"Many](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/10\/Trusted-SSL-Certificate-Usage.png\")
<\/p>\nPersonally, I think what was meant \u2013 though poorly communicated \u2013 is that this refers to the number of companies that have at least one expired, distrusted or improperly installed SSL certificate. That would go back to the three categories of unknown IT assets \u2013 Shadow IT, Legacy IT and Abandoned IT \u2013 that we discussed at the outset of the article.<\/p>\n
- Legacy IT<\/strong> \u2013 This refers to assets that were either built or procured a long time ago and can no longer be properly maintained. This is another area we deal with a lot, a lot of organizations, particularly in healthcare, use older devices \u2013 some of which have even had their vendor support deprecated \u2013 that can\u2019t use modern encryption protocols or SHA-2.<\/li>\n
- High-Tech Bridge uses its own grading system<\/a> as opposed to a more neutral third-party one like SSL Labs.<\/li>\n<\/ul>\n
- High-Tech Bridge sells a suite of scanner software called ImmuniWeb<\/a>.<\/li>\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/10\/SSL-Gears-e1540500876199-300x300.jpg\")
<\/p>\n![\"Hashed](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568.jpg\")
<\/p>\n","protected":false},"excerpt":{"rendered":"