Can we trust our HTTPS connections to the largest global companies?
How efficiently do the Global 2000 companies protect our data between their web servers and our computers or mobiles?
Efficient and effective data encryption becomes a vital part of our daily life. We use various web applications every day to pay our bills, send and receive our emails and share private information or photos with friends on social networks. Each time we send a data to a web server from our computer or a mobile phone, we want it to stay private and confidential relying on HTTPS encryption.
At the beginning of the year, 74% of companies in the Global 2000 were still vulnerable to critical Heartbleed vulnerability. A week ago, a new research from Netcraft revealed that 1 million SSL certificates are signed using insecure SHA-1 algorithm.
Outdated or vulnerable version or configuration of SSL/TLS encryption may expose and ruin all our private or business life at once. This is why last week our company announced the launch of a free online service to test SSL/TLS security of any web server for compliance with NIST guidelines, PCI DSS requirements and various industry best-practices:
Free PCI DSS and NIST compliant SSL test by High-Tech Bridge
In order to verify how financial institutions, insurances firms and e-commerce businesses among the largest Global 2000 companies identified by Forbes protect our data in transit between our devices and their web servers we conducted a research of their websites in order to verify in totally non-intrusive manner their SSL/TLS implementation and configuration.
Quick Facts and Numbers
We tested web servers of 161 companies from the Global 2000 list by Forbes. We selected those industries and sectors for which proper HTTPS encryption is vital for clients. Here are the results in brief:
- 77% of all tested servers support HTTPS
- 19.4% of the servers supporting HTTPS have an untrusted certificate
- 34% have Always-On SSL enabled
- 26% have Extended Validation (EV) certificate
- 18.5% are still vulnerable to POODLE over SSL
- Only 12% have configurations compliant with PCI DSS requirements 2.3 and 4.1
- Just 2.4% have configurations compliant with NIST guidelines
- 51.6% received an A grade (highest)
Graphs and Statistics
Below are the most interesting facts, findings and numbers:
Financial institutions and Insurance companies were the most represented:
Image 1 - Industries and Sectors Tested
There are still servers implementing HTTPS to redirect users to insecure HTTP version:
Image 2 - Always-On SSL
Half of the tested servers have an A grade:
Image 3 - Global Grade Repartition
More than a third or insurance companies have serious issues with their HTTPS:
Image 4 - Grade Repartition - Insurance
Only a half of tested financial institutions has a secure implementation of HTTPS:
Image 5 - Grade Repartition - Banks
Computer Services and e-commerce outperform other sectors:
Image 6 - Grade Repartition - Computer Services and e-Commerces
Hotels and e-commerce, massively fail to comply with PCI DSS requirements related to SSL/TLS:
Image 7 - Compliance with PCI DSS requirements
Majority of companies have properly addressed POODLE vulnerability over SSL:
Image 8 - SSLv3 Support
Many servers do not implement correct Perfect-Forward-Secrecy, putting all previous communication at critical risk in case of private key loss:
Image 9 - PFS Implementation
The vast majority of servers has weak length of their Diffie-Hellman parameters:
Image 10 - DH parameter size
The most frequent vulnerability is client-initiated secure renegotiation which means PCI DSS requirement failure. Just 1% of tested servers are vulnerable to Heartbleed, proving that companies have learnt a lesson:
Image 11 - Most Frequent Vulnerabilities
More than 60% of the servers tested contain at least one vulnerability among POODLE over SSL, POODLE over TLS, Heartbleed, Client-initiated insecure renegotiation, Client-initiated secure renegotiation and OpenSSL Change-Cipher-Specs bug:
Image 12 - Vulnerabilities Presence
Graphs and Statistics: Comparison of US and EU+CH Banks
Below we compare results for American banks with European and Swiss banks:
Most banks support HTTPS on their main website:
Image 13 - HTTPS Support
Less than a fifth of webservers of the European and US banks from the selected categories of the Global 2000 list are compliant with PCI DSS SSL/TLS requirements:
Image 14 - Compliance with PCI DSS Requirements
NIST Guidelines are more followed by US banks, which is not really a surprise because NIST is an American organization:
Image 15 - Servers Compliant with NIST Guidelines
Almost 40% of European banks are vulnerable to POODLE or use SSLv3 in comparison to only 10% of US banks tested:
Image 16 - SSLv3 Support
While OWASP guidelines allow usage of SHA1 until the end of 2016, NIST explicitly says that it shall not be used. However, the majority of organizations are already using SHA2:
Image 17 - Certificate Signature
Both US and European banks fail to implement Perfect-Forward-Secrecy in a secure manner:
Image 18 - PFS Implementation
US banks’ grades are significantly better than European and Swiss banks:
Image 19 - Grade Repartition - US Banks
Image 20 - Grade Repartition - EU + CH Banks
Ilia Kolochenko, High-Tech Bridge's CEO, says:
"The conducted research demonstrates that even Global 2000 companies have a huge potential for improvement of their SSL implementation in order to assure privacy and confidentiality of their customers' data.
At High-Tech Bridge, we developed a free online service to enable anyone, regardless his or her technical skills, age or geographical location to verify how secure his or her HTTPS connection to a website is. In the first week of launch, we had more than 10,000 people use the service.
We are continuously improving the service by collaborating with the community and cybersecurity industry. In the near future we will announce more exciting features and functions, stay tuned."