The past few years have seen many advances in the security that can be applied to websites and their applications. However, not everyone takes advantage of what is available. The adoption of HTTPS, for example, is highly variable. Likewise the use of Content Security Policies (CSP) and security headers is not just variable but often implemented incorrectly.
We set out to understand how these security technologies were being applied across different industry sectors. The first paper in a series was published in June 2017. In this work we focussed on the adoption of HTTPS. Papers still under review will cover CSP and security headers.
The findings for TLS 1.2 were not entirely surprising as we found that the Computer and Business sectors are generally the strongest for adopting security. Less expected was that News and Sports are the weakest, with less than 1 in 10 of the Top 500 sites in the sector adopting TLS 1.2. Generally, the greater the scope for integrating content from a range of external sites, the least likely the site is going to support strong security, and thus are more likely to be open to vulnerabilities such as cross-site scripting. One might have expected the opposite.
In general the adoption is patchy but for TLS 1.2 it is encouraging that that later methods of key exchange prevail. It seems that the task ahead of us is to convince website operators to use TLS in the first place. The size of this task is disappointing given initiatives such as the OWASP Top 10 which has trumpeted for a long time now the top risks and how to avoid them.
For those interested in exploring the data we collected it has been made available here.
Further papers to follow.