Insecure web still too prevalent: Boffins unveil HSTS wall of shame

Red flags: Hunt and Helme pick out sites that can load without crypto

How's that migration to "HTTPS everywhere" going? With some Chrome browsers* now flagging insecure sites, there's a lot of work still to do, according to security bods Troy Hunt and Scott Helme.

Sceptical looking people check something on a laptop

Google Chrome: HTTPS or bust. Insecure HTTP D-Day is tomorrow, folks

READ MORE

In particular, while some holdouts exist who haven't applied HTTPS to their sites, many websites that people expect to be secure can be accessed insecurely because of HSTS (HTTP Strict Transport Security) configuration problems.

HSTS is a policy mechanism that allows a web server to enforce the use of TLS in browsers and other web agents. The cryptographic technology was designed to protect websites against protocol downgrade attacks and cookie hijacking.

What started as "a fun way to spend an afternoon" with coffee, Hunt told Vulture South today, turned into a week-long project documenting the many ways in which HSTS configurations can unintentionally leave pages unencrypted, even when sites can present their SSL certificates.

The pair have documented their efforts at whynohttps.com, foreshadowed yesterday, where among other things they list globally top-rated Alexa sites that can load insecurely, along with country-specific analysis – all with the hope that sites listed on the wall of shame will lift their game.

Even if you ignore the 35 Chinese sites on the list (there are, after all, special circumstances in the Middle Kingdom we'll discuss later), there are still 65 out of the world's 502 largest websites that can, always or sometimes, load insecurely.

The 100 sites at the site, Hunt noted, are 20 per cent of the top 502 sites (ranked by Alexa).

Making the assessments, Hunt said, brought him and Helme into contact with some odd site behaviours.

Australia provides a useful, if unfortunate, example in the form of its Department of Home Affairs, https://www.homeaffairs.gov.au. That site loads securely for Hunt, but it popped up as "insecure" in Helme's crawl.

Mobile banking, image via Shutterstock

El Reg assesses crypto of UK banks: Who gets to wear the dunce cap?

READ MORE

If you load the site from the link above, it will load correctly and securely: the configuration error the pair found was that there existed an HTTP maintenance page Helme somehow landed on, and from there, users can navigate to other links without HTTPS.

The worst that could happen, Hunt told The Register, is that "the site can be requested insecurely, and serve content insecurely – so that page can become a phishing or malware page".

So while Australia's Department of Home Affairs doesn't deserve a screaming "it's insecure!" headline (because most people will never land on the page Helme's crawler found), there is a configuration error that drops the site's guard under some circumstances.

Getting it right, Hunt told us, needs HTTPS, HSTS, and HSTS pre-loading. Having worked through all three on his own HaveIBeenPwned.com site, he said, pre-loading is important to stop browsers falling back to HTTP in requesting HTTPS: "Even if you've never been to a site before, [HTTPS] is baked into the browser... even an insecure request redirects to a secure request."

What he and Helme found is that there turned out to be a lot of edge cases. They decided to keep those edge cases in whynohttps.com – any site that will serve insecure requests is included, even though the pair agree that often "it's a matter of degree" for an individual site.

As for China, which figures prominently in the top 100 offenders, Hunt said the case of the Middle Kingdom is an interesting case.

The lack of HTTPS and HSTS in the country could in part reflect national security attitudes to encryption, state censorship, and the heavy presence of the state in infrastructure ownership, he maintained.

Twitter's T.co URL shortener, the BBC (.com), Fox News, Speedtest.net, Fedex, 4chan, or Australia's ABC or Bureau of Meteorology (to name just a few) have no such excuse. ®

* At the time of publication, the Chrome 68 update was not yet available on our Macs




Biting the hand that feeds IT © 1998–2018