Can we Trust our HTTPS Connections to the Largest Global Companies?

Efficient and effective data encryption becomes a vital part of our daily life. We use various web applications every day to pay our bills, send and receive our emails and share private information or photos with friends on social networks. Each time we send a data to a web server from our computer or a mobile phone, we want it to stay private and confidential relying on HTTPS encryption.

At the beginning of the year, 74% of companies in the Global 2000 were still vulnerable to critical Heartbleed vulnerability. A week ago, a new research from Netcraft revealed that 1 million SSL certificates are signed using insecure SHA-1 algorithm.

Outdated or vulnerable version or configuration of SSL/TLS encryption may expose and ruin all our private or business life at once. This is why last week our company announced the launch of a free online service to test SSL/TLS security of any web server for compliance with NIST guidelines, PCI DSS requirements and various industry best-practices :

In order to verify how financial institutions, insurances firms and e-commerce businesses among the largest Global 2000 companies identified by Forbes protect our data in transit between our devices and their web servers we conducted a research of their websites in order to verify in totally non-intrusive manner their SSL/TLS implementation and configuration.

Quick Facts and Numbers

We tested web servers of 161 companies from the Global 2000 list by Forbes. We selected those industries and sectors for which proper HTTPS encryption is vital for clients.

Here are the results in brief :

• 77% of all tested servers support HTTPS
• 4% of the servers supporting HTTPS have an untrusted certificate
• 34% have Always-On SSL enabled
• 26% have Extended Validation (EV) certificate
• 5% are still vulnerable to POODLE over SSL
• Only 12% have configurations compliant with PCI DSS requirements 2.3 and 4.1
• Just 2.4% have configurations compliant with NIST guidelines
• 6% received an A grade (highest)

Graphs and Statistics

Below are the most interesting facts, findings and numbers :

• Financial institutions and Insurance companies were the most represented :

• There are still servers implementing HTTPS to redirect users to insecure HTTP version :

• Half of the tested servers have an A grade :

• More than a third or insurance companies have serious issues with their HTTPS :

• Only a half of tested financial institutions has a secure implementation of HTTPS :

• Computer Services and e-commerce outperform other sectors :

• Hotels and e-commerce, massively fail to comply with PCI DSS requirements related to SSL/TLS :

• Majority of companies have properly addressed POODLE vulnerability over SSL :

• Many servers do not implement correct Perfect-Forward-Secrecy, putting all previous communication at critical risk in case of private key loss :

• The vast majority of servers has weak length of their Diffie-Hellman parameters :

• The most frequent vulnerability is client-initiated secure renegotiation which means PCI DSS requirement failure. Just 1% of tested servers are vulnerable to Heartbleed, proving that companies have learnt a lesson :

• More than 60% of the servers tested contain at least one vulnerability among POODLE over SSL, POODLE over TLS, Heartbleed, Client-initiated insecure renegotiation, Client-initiated secure renegotiation and OpenSSL Change-Cipher-Specs bug :

Graphs and Statistics : Comparison of US and EU+CH Banks

Below we compare results for American banks with European and Swiss banks :

• Most banks support HTTPS on their main website :

Less than a fifth of webservers of the European and US banks from the selected categories of the Global 2000 list are compliant with PCI DSS SSL/TLS requirements :

• NIST Guidelines are more followed by US banks, which is not really a surprise because NIST is an American organization :

• Almost 40% of European banks are vulnerable to POODLE or use SSLv3 in comparison to only 10% of US banks tested :

• While OWASP guidelines allow usage of SHA1 until the end of 2016, NIST explicitly says that it shall not be used. However, the majority of organizations are already using SHA2 :

• Both US and European banks fail to implement Perfect-Forward-Secrecy in a secure manner :

• US banks’ grades are significantly better than European and Swiss banks :

Ilia Kolochenko, High-Tech Bridge’s CEO, says :

“The conducted research demonstrates that even Global 2000 companies have a huge potential for improvement of their SSL implementation in order to assure privacy and confidentiality of their customers’ data. At High-Tech Bridge, we developed a free online service to enable anyone, regardless his or her technical skills, age or geographical location to verify how secure his or her HTTPS connection to a website is. In the first week of launch, we had more than 10,000 people use the service. We are continuously improving the service by collaborating with the community and cybersecurity industry. In the near future we will announce more exciting features and functions, stay tuned.”[su_box title=”About High-Tech Bridge” style=”noise” box_color=”#336588″]High-Tech Bridge is a leading provider of on-demand and continuous web application security testing via ImmuniWeb®. The service was recognized as the most complete web security offering by Frost & Sullivan at the beginning of 2015. Cybersecurity Ventures ranked High-Tech Bridge #37 in Cybersecurity 500 list among the most innovative cybersecurity companies. PwC and High-Tech Bridge have established a strategic partnership to provide PwC’s customers with cutting-edge web security testing via ImmuniWeb offering.[/su_box]