The Online Trust Alliance (OTA) group today released its annual Online Trust Honor Roll, which is a comprehensive audit and analysis of over 800 websites and mobile applications looking at security best practices. The Honor Roll recognizes companies that demonstrate best practices focusing on three main categories; brand protection, privacy and site security.
The OTA reported that out of the 800 websites analyzed nearly 70% of the companies didn’t qualify with 52.7% failing in at least one of the three categories. Additionally, in the Server and SSL Configuration category, the overall average score was 83.4%, which was a decrease from last year’s average score of 85%.
The security of a website and its infrastructure play a very important role in the trustworthiness of a site. Website visitors need to feel assured they are on a legitimate website, their data is secure and that the website is protected against cyber threats. The best practices outlined in this category serve as a great guideline, so I thought it would be worth taking a deeper dive into this category.
The site, server and infrastructure security category evaluates and grades websites based on the implementation of:
Proper Server and SSL Configurations
Existence of Extended Validation SSL Certificates
Implementation of Always on-SSL
Let's take a look at these further and why they are important…
Server and SSL Configurations
The proper configuration of a server is important to ensure that the latest and strongest keys, algorithms and protocols are being used. Weak keys and misconfiguration of certificates can enable attackers to exploit system vulnerabilities and compromise SSL communications.
Five recommendations to enhance your SSL and server configuration:
Certificate keys should be 2048-bits or stronger
SHA-1 certificates are becoming more susceptible to attacks, SHA-2 should be used
Deploy HTTP Strict Transport Security and Always on-SSL
Use secure protocols (TLS V1.0+, TLS V1.2 recommended)
Deploy secure ciphers (disable RC4) and enable Forward Secrecy
Extended Validation SSL Certificates
Extended Validation SSL Certificates, also known as EV SSL, provide the highest level of encryption and render trust in a simple visible manner that visitors can see and understand.
How does EV SSL compare from other SSL Certificate types?
Strongest vetting levels
Website owners looking to obtain an EV SSL Certificate must go through a globally standardized identity verification process defined within the EV guidelines which are ratified by the CA/Browser Forum. The verification process requires:
Checking the rights to use the requested domain
Confirming the organizations' legal operational and physical existence
Proving the entity has authorized the issuance of the certificate
Visual Display of Trust
When an EV SSL Certificate is activated browsers display visual cues of security including:
A padlock is displayed in the browser
Browser address bar turns green
Name of organization and Certificate Authority displayed in browser
Below is an EV SSL Certificate displayed in a browser:
Always-on-SSL (AOSSL) is when SSL is implemented across an entire site, including all pages, cookies and sessions. It's a common misconception among many website owners that SSL is only needed when collecting personal information such as credit card and login details.
It's important to provide protection to website visitors regardless of where they are on your site and how they are interacting with it. Not using SSL across an entire site can leave sites vulnerable to what is known as “sitejacking”, which is a hacker technique where attackers intercept cookies when they are transmitted over non-secure connections. Access to cookies could allow an attacker to obtain sensitive information such as username, passwords and other private information.
How does your website compare?
The annual Honor Roll report is published to help educate businesses by developing best practices and providing tools and resources to enhance the protection of users' security, privacy and identity.
How does your website compare? Are you following today's best practices? GlobalSign has developed a free tool to help organizations better arm themselves with the knowledge to meet today's best practices for SSL and server configurations, use the GlobalSign SSL Checker today to protect your website from SSL vulnerabilities cyber threats.