Cyber Security Firms – y u no https!!!
If you went to a meeting at a Swiss bank, you'd incidentally expect to see good security on their own property.
Similarly, you expect people in the fashion world to be well dressed and coiffured...
..and a cyber security company would be deploying security practices in their online marketing above and beyond ordinary website standards.
Oh, wait, what was that last one?
Right, it turns out that "cyber security" brands are actually not all squared away and Blue Steel about their own actual "cyber security" when it comes to the matter of serving website content over a secure connection.
Cyber Security Firms: Do You Care About HTTPS?
This is a quick and informal study, that took us a couple of hours to complete, that shows that 100% of the top 35 Google-listed "cyber security" and "IT security" companies based in the UK fail to gain top scores on website security best practice in regard to https (aka SSL).
We have used simple criteria to consider these websites' use of https:
- Firstly, if they do not use https at all it is an instant fail, and "Hall of Shame" (see below).
- Secondly, if they do use https we have used two widely recognized automatic tools to rank the security level of their implementation.
18 of the 35 organizations' websites we reviewed fail to implement https at all. Technical analysis: tragic PR fail.
ALL of the rest of the ~50% of companies that *do* currently implement https score below grade A on one or both of the well-known https tests we ran.
Scope of the test:
- 35 companies or organizations discovered by google.co.uk search on 2016 02 26 at 1020am with a London IP address, reviewed in order of search results, including both paid and organic results (indicated in the spreadsheet)
- From the search results we selected all of the companies which are (a) based in or marketing in the UK, and (b) definitely appear to be marketing themselves in relation to cyber security. In the case of (b) we include the paid search results even if the company is not 100% focused on cyber security, since they took the decision to advertise against that term in AdWords.
- We judged the initial https yes-or-no based on the landing page from the Google search result, and in the spreadsheet we have noted this as well as the brand homepage
- basic https yes-or-no done through human browser (Firefox 44)
- https quality score test 1: https://www.ssllabs.com/ssltest/ - this is a de facto standard score, focusing on encryption standards and software versions
- for the Qualys https test we have taken the lower of the two scores if there are two server IPs noted
- https quality score test 2: https://securityheaders.io/ - this focuses on security headers use to strengthen https and adds to the requirements of Qualys on some points of recent good practice
- the above two tests are run on the homepage URL with the "do not record" setting
- Findings in a spreadsheet here: https://docs.google.com/spreadsheets/d/1XS3EnVGQvEhpZoYMgeFlropHC8B9fs36zKYeRXtxwXo/edit?usp=sharing
KnowedgePower edits since publishing this blog post:
1. If your organization is listed and you want the listing updated, on request we will gladly update the list below to (a) remove the URL in the text and (b) add accompanying notes that you have taken steps to update your https situation.
2. We will remove companies' listings in entirety if relevant brands can complete or refute our flow chart below:
3. We do not agree the contents of this post require "responsible disclosure", i.e. advance / private notifications. This is because, according to our understanding, any party with the intent and ability to exploit weaknesses due to a lack of https or lack of A+ implementation of https, would already be obviously aware of the weakness. Conversely we believe it unlikely that anybody who needs a marketing blog to point out a lack of https best practice constitutes a security risk to your firm. By all means elucidate us if these are incorrect assumptions.
Hall of Fame
Hall of Shame
=> (failure to use https at all)
=> (incomplete / incompetent implementation of https)
- http://www.symantec.com/en/uk/index.jsp Symantec (have https but not by default)
- http://cybersecurityventures.com/ Cybersecurity Ventures
- http://www.ukcybersecurityforum.com/ UK Cyber Security Forum
- http://www.malvern-cybersecurity.com/ Malvern Cyber Security
- http://www.ibm.com/us-en/ IBM (have https but not by default)
- http://compute-forensics.com/ Compute Forensics
- http://www.sitstechnology.co.uk/ SITS Technology
- http://trilogytechnologies.com/ Trilogy (have https but errors)
- http://www.peterbance.co.uk/ Peter Bance
- http://www.kroll.com/en-us Kroll
- http://www.ouritdept.co.uk/ Our IT Department
- http://www.firstbase.co.uk/ First Base Technologies
- http://www.ca.com/gb.html CA Technologies (have https but not by default)
- http://www.corpguard.com/en/ Corpguard
- http://www.paconsulting.com/ PA Consulting
- http://www.itgovernance.co.uk/ IT Governance (actually redirect https back to http - we hope your "governance" of clients' websites is better than this!)
- http://www.qinetiq.com/Pages/default.aspx Qinetiq (have https but not by default)
- http://www.blackfootuk.com/ Blackfoot
- http://www.csc.com/ CSC (have https but errors)
Hall of Not-That-Bad
- https://www.e2e-assure.com/ e2e-assure - Qualys A+
- https://cylonlab.com/ Cylon - Qualys A+
- https://puppetlabs.com/ Puppet Labs - Qualys A+
Other brands reviewed, ALL rated have specific things they "Should Probably Improve"
- https://www.accenture.com/us-en Accenture
- https://www.huntsmansecurity.com/ Huntsman
- https://www.countercept.com/ Countercept
- https://www.xyonecybersecurity.co.uk/ Xyone Cyber Security
- https://www.darktrace.com/ Darktrace
- https://www.portcullis-security.com/ Portcullis Security
- https://www.wynyardgroup.com/en/ Wynard
- https://www.cyberseer.net/ Cyberseer
- https://www.thecybersecurityexpert.com/ The Cyber Security Expert
- https://www.cybersecurity.ox.ac.uk/ University of Oxford Cyber Security
- https://www.itsecurityexpert.co.uk/en/ IT Security Expert
- https://www.hpe.com/uk/en/home.html Hewlett Packard Enterprise
- https://www.riverbank.co.uk/ Riverbank
Why are we being assholes blogging about this?
Firstly, we grant the lack of https and https best practices is not abnormal. As found by researcher Scott Helme over 90% of the Alexa top one million sites fail to implement https by default, let alone stronger https practices. The trend is improving fast though: Scott Helme notes a 9.4% improvement in https implementation between August 2015 and February 2016.
So the issue is about who is supposed to be leading the way by example.
It seems reasonable to us that one of the industries leading the way ought to be soi-disant "Cyber Security" experts / consultants / implementers / testers.
Why aren't these companies doing better?
We really have no idea.
The opposite, in fact, because it's an obvious trust signal for website users, and the halo of the green padlock is about to be replaced by visible shaming of http-only sites. See: Google Will Soon Shame All Websites That Are Unencrypted
Not enough of an incentive?
So these are sufficient reasons to get up to date even if you have never heard the words "mass pervasive surveillance".
Privacy and security best practices are for everyone, not just privacy advocates.
Continuing to serve over http is now a conscious choice to signal that you don't care about your users' privacy and security
Continuing to serve websites over http is now effectively a deliberate organizational and branding choice to be (and appear) outdated and insecure.
How can we explain IT "experts" still not caring? Surely it isn't a case of ignorance, incompetence, or lack of control of the firms' own web marketing assets? If any of those, it's obviously still not acceptable for security firms.
Really, if there is a valid reason for these security firms not to be using https we would love to hear from you.
I think we will revisit the list in a few months and see how this is going!
Disclaimer but still y u no https
Firstly all of the information here is public and we have attempted to keep the interpretation factual.
Secondly we are not IT security experts and do not claim to be. This is in fact the entire point of this post: if just a tiny bit above average knowledge about the significance of https can reveal this kind of widespread insouciance or hypocrisy about a standard security technology, who knows what else might be improperly managed under the surface? Maybe everything else about these companies is perfect, but you have to wonder why, even if they view https as superficial and trivial, they would care so little about customer impressions of them that they would not take the superficial and trivial effort to fix it.
In other words, if all of this https hardening is in your opinion just security theatre, as a company marketing as a security brand, doesn't it make sense to perform well on that stage?
Recommended https resources
- High-Tech Bridge SSL Server Test
- Cipherli.st Strong Ciphers for Apache, nginx and Lighttpd
- Mozilla (server side) SSL Configuration Generator
- Awesome documentation about the checks in securityheaders.io from the author Scott Helme
- HSTS tutorial
- Problems using HSTS header at top level domain with includeSubdomains
- Scott Helme on HPKP: HTTP Public Key Pinning (usually the final thing to get that A+ rating!)
- Another good explanation of Public Key Pinning
- (not that good) Mozilla reference on Public Key Pinning
- Content security policy checker and builder