In light of COVID-19 precaution measures, we remind that all ImmuniWeb products can be easily configured and safely paid online without any human contact or paperwork.

Total Tests:
Stay in Touch

Weekly newsletter on AI, Application Security & Cybercrime


Your data will stay confidential Private and Confidential

Can we trust our HTTPS connections to the largest global companies?

Wednesday, October 28, 2015 By Read Time: 3 min.

How efficiently do the Global 2000 companies protect our data between their web servers and our computers or mobiles?


Efficient and effective data encryption becomes a vital part of our daily life. We use various web applications every day to pay our bills, send and receive our emails and share private information or photos with friends on social networks. Each time we send a data to a web server from our computer or a mobile phone, we want it to stay private and confidential relying on HTTPS encryption.

At the beginning of the year, 74% of companies in the Global 2000 were still vulnerable to critical Heartbleed vulnerability. A week ago, a new research from Netcraft revealed that 1 million SSL certificates are signed using insecure SHA-1 algorithm.

Outdated or vulnerable version or configuration of SSL/TLS encryption may expose and ruin all our private or business life at once. This is why last week our company announced the launch of a free online service to test SSL/TLS security of any web server for compliance with NIST guidelines, PCI DSS requirements and various industry best-practices:

Free PCI DSS and NIST compliant SSL test by High-Tech Bridge
Free PCI DSS and NIST compliant SSL test by High-Tech Bridge

In order to verify how financial institutions, insurances firms and e-commerce businesses among the largest Global 2000 companies identified by Forbes protect our data in transit between our devices and their web servers we conducted a research of their websites in order to verify in totally non-intrusive manner their SSL/TLS implementation and configuration.


Quick Facts and Numbers

We tested web servers of 161 companies from the Global 2000 list by Forbes. We selected those industries and sectors for which proper HTTPS encryption is vital for clients. Here are the results in brief:

  • 77% of all tested servers support HTTPS
  • 19.4% of the servers supporting HTTPS have an untrusted certificate
  • 34% have Always-On SSL enabled
  • 26% have Extended Validation (EV) certificate
  • 18.5% are still vulnerable to POODLE over SSL
  • Only 12% have configurations compliant with PCI DSS requirements 2.3 and 4.1
  • Just 2.4% have configurations compliant with NIST guidelines
  • 51.6% received an A grade (highest)

Graphs and Statistics

Below are the most interesting facts, findings and numbers:

Financial institutions and Insurance companies were the most represented:

Can we trust our HTTPS connections to the largest global companies? Image 1 - Industries and Sectors Tested

There are still servers implementing HTTPS to redirect users to insecure HTTP version:

Can we trust our HTTPS connections to the largest global companies? Image 2 - Always-On SSL

Half of the tested servers have an A grade:

Can we trust our HTTPS connections to the largest global companies? Image 3 - Global Grade Repartition

More than a third or insurance companies have serious issues with their HTTPS:

Can we trust our HTTPS connections to the largest global companies? Image 4 - Grade Repartition - Insurance

Only a half of tested financial institutions has a secure implementation of HTTPS:

Can we trust our HTTPS connections to the largest global companies? Image 5 - Grade Repartition - Banks

Computer Services and e-commerce outperform other sectors:

Can we trust our HTTPS connections to the largest global companies? Image 6 - Grade Repartition - Computer Services and e-Commerces

Hotels and e-commerce, massively fail to comply with PCI DSS requirements related to SSL/TLS:

Can we trust our HTTPS connections to the largest global companies? Image 7 - Compliance with PCI DSS requirements

Majority of companies have properly addressed POODLE vulnerability over SSL:

Can we trust our HTTPS connections to the largest global companies? Image 8 - SSLv3 Support

Many servers do not implement correct Perfect-Forward-Secrecy, putting all previous communication at critical risk in case of private key loss:

Can we trust our HTTPS connections to the largest global companies? Image 9 - PFS Implementation

The vast majority of servers has weak length of their Diffie-Hellman parameters:

Can we trust our HTTPS connections to the largest global companies? Image 10 - DH parameter size

The most frequent vulnerability is client-initiated secure renegotiation which means PCI DSS requirement failure. Just 1% of tested servers are vulnerable to Heartbleed, proving that companies have learnt a lesson:

Can we trust our HTTPS connections to the largest global companies? Image 11 - Most Frequent Vulnerabilities

More than 60% of the servers tested contain at least one vulnerability among POODLE over SSL, POODLE over TLS, Heartbleed, Client-initiated insecure renegotiation, Client-initiated secure renegotiation and OpenSSL Change-Cipher-Specs bug:

Can we trust our HTTPS connections to the largest global companies? Image 12 - Vulnerabilities Presence


Graphs and Statistics: Comparison of US and EU+CH Banks

Below we compare results for American banks with European and Swiss banks:

Most banks support HTTPS on their main website:

Can we trust our HTTPS connections to the largest global companies? Image 13 - HTTPS Support

Less than a fifth of webservers of the European and US banks from the selected categories of the Global 2000 list are compliant with PCI DSS SSL/TLS requirements:

Can we trust our HTTPS connections to the largest global companies? Image 14 - Compliance with PCI DSS Requirements

NIST Guidelines are more followed by US banks, which is not really a surprise because NIST is an American organization:

Can we trust our HTTPS connections to the largest global companies? Image 15 - Servers Compliant with NIST Guidelines

Almost 40% of European banks are vulnerable to POODLE or use SSLv3 in comparison to only 10% of US banks tested:

Can we trust our HTTPS connections to the largest global companies? Image 16 - SSLv3 Support

While OWASP guidelines allow usage of SHA1 until the end of 2016, NIST explicitly says that it shall not be used. However, the majority of organizations are already using SHA2:

Can we trust our HTTPS connections to the largest global companies? Image 17 - Certificate Signature

Both US and European banks fail to implement Perfect-Forward-Secrecy in a secure manner:

Can we trust our HTTPS connections to the largest global companies? Image 18 - PFS Implementation

US banks’ grades are significantly better than European and Swiss banks:

Can we trust our HTTPS connections to the largest global companies? Image 19 - Grade Repartition - US Banks

Can we trust our HTTPS connections to the largest global companies? Image 20 - Grade Repartition - EU + CH Banks


Ilia Kolochenko, High-Tech Bridge's CEO, says:
"The conducted research demonstrates that even Global 2000 companies have a huge potential for improvement of their SSL implementation in order to assure privacy and confidentiality of their customers' data.
At High-Tech Bridge, we developed a free online service to enable anyone, regardless his or her technical skills, age or geographical location to verify how secure his or her HTTPS connection to a website is. In the first week of launch, we had more than 10,000 people use the service.
We are continuously improving the service by collaborating with the community and cybersecurity industry. In the near future we will announce more exciting features and functions, stay tuned.
"


High-Tech Bridge Security Research Team regularly writes about web and mobile application security, privacy, Machine Learning and AI.

User Comments
Add Comment

Ask a Question