Story image

It's time to pick up the pace on HTTPS encryption, survey finds

30 May 2017

Less than half of internet sites support HTTPS, despite it being a 'must have' for all businesses, according to a new report from web optimisation provider SEMrush.

The company conducted data on 100,000 anonymous websites and 45% of them supported HTTPS. While the sample was small, many of them supposedly used the secure protocol.

9% of those websites still had insecure pages with password input fields - even though Google requires that any website that collects passwords should be encrypted.

The company says that even minor errors in HTTPS implementation can cost them in user security factors and Google attention.

Last year Google announced that as of January this year, Chrome started marking HTTP pages that collected passwords or credit cards as non-secure, as part of an effort to mark all HTTP sites as non-secure.

That implementation can come down to using mixed content, which means that browsers will warn users about loading insecure content, which can impact the user experience and user confidence. 50% of all analysed websites fell into that trap.

The company also found that 50% of websites that were moving to HTTPS still included errors through internal links to HTTP pages.

8% of analysed websites had an HTTP homepage that didn't match its HTTPS version. While this isn't much of a problem for those websites that support HSTS, those that don't could find that they encounter page competition, traffic loss and poor placement.

At the certificate level, 2% had expired SSL (Secure Socket Layer) certificate, and 6% of websites had a certificate registered to the wrong name. SSL certificates are used to make sure a connection between browser and server is secure, and also stops information from being stolen.

It's out with the old, as 3.6% of websites had an old security protocol, and SNI-related errors accounted for 0.56% of websites.

And it's in with the new: The study found that 86% of analysed websites didn't support HSTS (HTTP Strict Transport Security), although the technology is relatively new.

IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.
ForgeRock launches Sandbox-as-a-Service to facilitate compliance
The cloud-based testing environment for APIs enables banks to accelerate compliance with Open Banking and PSD2 deadlines.
Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.