Cyber Security Firms – y u no https!!!

If you went to a meeting at a Swiss bank, you'd incidentally expect to see good security on their own property.

Photo of a large and intricate bank vault door

24-bolt Diebold vault door at the Winona National Bank, built in the early 1900s. By Jonathunder - Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=5765999

Similarly, you expect people in the fashion world to be well dressed and coiffured...

Derek and Hansel from Zoolander looking fashionable

(Screen capture, Zoolander 2 trailer, CC labelled, https://youtu.be/2NIKlsrr7H4)

..and a cyber security company would be deploying security practices in their online marketing above and beyond ordinary website standards.

Error message from Firefox saying your connection is not secure

Doh! How are customers feeling about their cyber security ventures now!

Oh, wait, what was that last one?

Right, it turns out that "cyber security" brands are actually not all squared away and Blue Steel about their own actual "cyber security" when it comes to the matter of serving website content over a secure connection.

Cyber Security Firms: Do You Care About HTTPS?

This is a quick and informal study, that took us a couple of hours to complete, that shows that 100% of the top 35 Google-listed "cyber security" and "IT security" companies based in the UK fail to gain top scores on website security best practice in regard to https (aka SSL).

We have used simple criteria to consider these websites' use of https:

  1. Firstly, if they do not use https at all it is an instant fail, and "Hall of Shame" (see below).
  2. Secondly, if they do use https we have used two widely recognized automatic tools to rank the security level of their implementation.

18 of the 35 organizations' websites we reviewed fail to implement https at all. Technical analysis: tragic PR fail.

ALL of the rest of the ~50% of companies that *do* currently implement https score below grade A on one or both of the well-known https tests we ran.

Chrome browser mixed content error message for https settings of itsecurityexpert.co.uk

Some of the errors are minor, and in normal circumstances are forgiveable. https mixed content errors are a headache to iron out. However, if your brand is e.g. "IT Security Experts".... you just have to tighten up, surely?

Scope of the test:

  • 35 companies or organizations discovered by google.co.uk search on 2016 02 26 at 1020am with a London IP address, reviewed in order of search results, including both paid and organic results (indicated in the spreadsheet)
  • From the search results we selected all of the companies which are (a) based in or marketing in the UK, and (b) definitely appear to be marketing themselves in relation to cyber security. In the case of (b) we include the paid search results even if the company is not 100% focused on cyber security, since they took the decision to advertise against that term in AdWords.
  • We judged the initial https yes-or-no based on the landing page from the Google search result, and in the spreadsheet we have noted this as well as the brand homepage
  • basic https yes-or-no done through human browser (Firefox 44)
  • https quality score test 1: https://www.ssllabs.com/ssltest/ - this is a de facto standard score, focusing on encryption standards and software versions
  • for the Qualys https test we have taken the lower of the two scores if there are two server IPs noted
  • https quality score test 2: https://securityheaders.io/ - this focuses on security headers use to strengthen https and adds to the requirements of Qualys on some points of recent good practice
  • the above two tests are run on the homepage URL with the "do not record" setting
  • Findings in a spreadsheet here: https://docs.google.com/spreadsheets/d/1XS3EnVGQvEhpZoYMgeFlropHC8B9fs36zKYeRXtxwXo/edit?usp=sharing

screenshot of the https review spreadsheet

Click to view the findings in a spreadsheet. Please note this is JUST a snapshot from an informal review at 2016 02 26 and your mileage may vary in future (hopefully). We are not affiliated with any of these organizations, neither do we endorse or make any claims about the organizations beyond what is publicly visible information here.

KnowedgePower edits since publishing this blog post:

1. If your organization is listed and you want the listing updated, on request we will gladly update the list below to (a) remove the URL in the text and (b) add accompanying notes that you have taken steps to update your https situation.

2. We will remove companies' listings in entirety if relevant brands can complete or refute our flow chart below:

y u no flowchart screenshot

Flowchart summarizing the "y u no https" argument. Please click the image to see the full size png.

3. We do not agree the contents of this post require "responsible disclosure", i.e. advance / private notifications. This is because, according to our understanding, any party with the intent and ability to exploit weaknesses due to a lack of https or lack of A+ implementation of https, would already be obviously aware of the weakness. Conversely we believe it unlikely that anybody who needs a marketing blog to point out a lack of https best practice constitutes a security risk to your firm. By all means elucidate us if these are incorrect assumptions.

Hall of Fame

Nobody!

Hall of Shame

=> (failure to use https at all)
or
=> (incomplete / incompetent implementation of https)

  • http://www.symantec.com/en/uk/index.jsp Symantec (have https but not by default)
  • http://cybersecurityventures.com/ Cybersecurity Ventures
  • http://www.ukcybersecurityforum.com/ UK Cyber Security Forum
  • http://www.malvern-cybersecurity.com/ Malvern Cyber Security
  • http://www.ibm.com/us-en/ IBM (have https but not by default)
  • http://compute-forensics.com/ Compute Forensics
  • http://www.sitstechnology.co.uk/ SITS Technology
  • http://trilogytechnologies.com/ Trilogy (have https but errors)
  • http://www.peterbance.co.uk/ Peter Bance
  • http://www.kroll.com/en-us Kroll
  • http://www.ouritdept.co.uk/ Our IT Department
  • http://www.firstbase.co.uk/ First Base Technologies
  • http://www.ca.com/gb.html CA Technologies (have https but not by default)
  • http://www.corpguard.com/en/ Corpguard
  • http://www.paconsulting.com/ PA Consulting
  • http://www.itgovernance.co.uk/ IT Governance (actually redirect https back to http - we hope your "governance" of clients' websites is better than this!)
  • http://www.qinetiq.com/Pages/default.aspx Qinetiq (have https but not by default)
  • http://www.blackfootuk.com/ Blackfoot
  • http://www.csc.com/ CSC (have https but errors)

Symantec ssl testing tool showing symantec failing on their own tests

Symantec are in the hall of shame, for not enabling https by default on their site, and furthermore having weaknesses in their https configuration including one problem that is complained about by their own testing tool!

 

error message showing IBM insecure warning in browser

IBM rocking an obsolete cipher suite and getting a merry red cross alert from Chrome: great cyber security marketing guys!

Hall of Not-That-Bad

  • https://www.e2e-assure.com/ e2e-assure - Qualys A+
  • https://cylonlab.com/ Cylon - Qualys A+
  • https://puppetlabs.com/ Puppet Labs - Qualys A+

A plus score for cylon at Qualys reports page

With a clear A+ on the Qualys SSL test, I would trust Cylon to advise me about cyber security more than someone who doesn't care enough to apply even basic https. We're nerdy for caring perhaps, but this is going to change rapidly.

Other brands reviewed, ALL rated have specific things they "Should Probably Improve"

  • https://www.accenture.com/us-en Accenture
  • https://www.huntsmansecurity.com/ Huntsman
  • https://www.countercept.com/ Countercept
  • https://www.xyonecybersecurity.co.uk/ Xyone Cyber Security
  • https://www.darktrace.com/ Darktrace
  • https://www.portcullis-security.com/ Portcullis Security
  • https://www.wynyardgroup.com/en/ Wynard
  • https://www.cyberseer.net/ Cyberseer
  • https://www.thecybersecurityexpert.com/ The Cyber Security Expert
  • https://www.cybersecurity.ox.ac.uk/ University of Oxford Cyber Security
  • https://www.itsecurityexpert.co.uk/en/ IT Security Expert
  • https://www.hpe.com/uk/en/home.html Hewlett Packard Enterprise
  • https://www.riverbank.co.uk/ Riverbank

meme rage face saying self professed cyber experts y u no https

After finishing this article we will ping each brand on the hall of shame to ask "Y U NO HTTPS"

Why are we being assholes blogging about this?

Firstly, we grant the lack of https and https best practices is not abnormal. As found by researcher Scott Helme over 90% of the Alexa top one million sites fail to implement https by default, let alone stronger https practices. The trend is improving fast though: Scott Helme notes a 9.4% improvement in https implementation between August 2015 and February 2016.

So the issue is about who is supposed to be leading the way by example.

It seems reasonable to us that one of the industries leading the way ought to be soi-disant "Cyber Security" experts / consultants / implementers / testers.

Why aren't these companies doing better?

We really have no idea.

After all, https is not new, not expensive (in fact with more skillz it is free), not difficult (to get off the List of Shame at least), and not a performance issue.

The opposite, in fact, because it's an obvious trust signal for website users, and the halo of the green padlock is about to be replaced by visible shaming of http-only sites. See: Google Will Soon Shame All Websites That Are Unencrypted

insecure website shown with red cross in browser bar

Google’s intention is to “call out” HTTP for what it is: “UNSAFE.” -- https://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https

Not enough of an incentive?

Google has been telling us https been SEO ranking signal since 2014.

So these are  sufficient reasons to get up to date even if you have never heard the words "mass pervasive surveillance".

Privacy and security best practices are for everyone, not just privacy advocates.

Continuing to serve over http is now a conscious choice to signal that you don't care about your users' privacy and security

Continuing to serve websites over http is now effectively a deliberate organizational and branding choice to be (and appear) outdated and insecure.

How can we explain IT "experts" still not caring? Surely it isn't a case of ignorance, incompetence, or lack of control of the firms' own web marketing assets? If any of those, it's obviously still not acceptable for security firms.

Really, if there is a valid reason for these security firms not to be using https we would love to hear from you.

I think we will revisit the list in a few months and see how this is going!


 

meme Jackie Chan saying cyber security brands without https

I have only read one valid reason recently for not using https, and that was from a security researcher who needs to test browsers reaction to insecure content!

Disclaimer but still y u no https

Firstly all of the information here is public and we have attempted to keep the interpretation factual.

Secondly we are not IT security experts and do not claim to be. This is in fact the entire point of this post: if just a tiny bit above average knowledge about the significance of https can reveal this kind of widespread insouciance or hypocrisy about a standard security technology, who knows what else might be improperly managed under the surface? Maybe everything else about these companies is perfect, but you have to wonder why, even if they view https as superficial and trivial, they would care so little about customer impressions of them that they would not take the superficial and trivial effort to fix it.

In other words, if all of this https hardening is in your opinion just security theatre, as a company marketing as a security brand, doesn't it make sense to perform well on that stage?


 

Recommended https resources