Chrome browsers have been flagging insecure non-HTTPS sites today, while Troy Hunt and Scott Hulme is red flagged sites that can load without cryptographic protection.
Ilia Kolochenko, CEO at High-Tech Bridge:
“Proper HTTPS encryption is indeed very important nowadays. However, an improperly implemented or simply missing TLS encryption is more a weakness, not an exploitable vulnerability. Many of the most popular websites are still prone to SQL injections and XXE attacks, let alone omnipresent XSS and CSRF vulnerabilities. These security vulnerabilities bear a much higher degree of risk and may allow breaching the entire website and all the records, PII or financial data the website handles or stored.
In most of the cases, weak or missing TLS encryption of an HTTP traffic may expose web traffic of those users who are located in the same network segment as the attacker – a relatively infrequent case. Therefore, security teams often underestimate the importance of proper and holistic HTTPS implementation.
At High-Tech Bridge, we offer a free service to test your SSL/TLS for compliance with PCI DSS and NIST, discover you subdomains and automatically probe their HTTPS. Many people find this very useful, as frequently HTTPS initiatives are limited to the “www” website, leaving micro service and subdomains on HTTP.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.