This week Google are starting to flag websites that are not secure
Next May the GDPR will be upon us. The legislation imposes strict new requirements regarding corporate storage and processing of personal information. For information leakage a company can be fined up to 4% of turnover or €20 million, whichever is greater.
In June we started passive testing websites in light of the rising global cyber-attacks. At that point in time approximately 70% of UK websites were not secure. Three months on this percentage has barely changed. Website owners generally are not taking urgent action, and this is because a lot of ‘stories’ are being spread saying that SSL certification is not very important.
There is a fallacy that you only need SSL certification for transactional websites. This is NOT true. This type of tangential and peripheral comment has come to surface due to the huge number of Brute Force Attacks (especially on WordPress sites), clients complaining to their agencies: but the industry as a whole (design and development) has a lack of urgency due to a lack of understanding.
When a website has forms that can be filled in by its visitors it needs SSL certification. From 17th October Google Chrome (v62) will highlight pages, that can be filled in, that are not secure by stating ‘Not Secure’ in the address bar. From, probably, the year end it will state ‘Not Secure’ on any http (no ‘s’) page. Another misconception is that “only the contact page is not secure”. This is also NOT true. You cannot have an insecure contact form and the rest of the website secure, because a contact form becomes secure by having valid SSL certification for the website. Google Chrome is used by 59% of webs users.
Amongst the insecure websites:-
a). Probably over 1/3 of them are insecure for solely this reason. This is due to invalid SSL certification.
b). 90% of invalid SSL certificates are not trusted as they are in the WRONG name. An SSL certificate needs to be in your name, not the name of another entity.
Other Security Issues With Websites:-
- Username and login name visibility.
- Some have blacklisted IP addresses.
The entities who manage the websites tell clients “it is not a problem”. IT IS A PROBLEM: Aside from Google Chrome’s security improvements from October, the GDPR (next May) will bring with it the aforementioned penalties.
- User Enumeration
Attackers are actually able to see usernames and logins by doing passive, public available
scans on a website.
- Attack Vulnerability
Many websites are vulnerable to ‘Poodle’ and other attacks which basically ask your server to downgrade its security protocols and it agrees.
- For WordPress websites it is imperative to update versions and plugins to keep them secure. This is a major concern and leaves them exposed: where WordPress websites are built but then not maintained.
In doing security testing numerous websites have shown awful performance statistics and some are still not even mobile responsive. Around 60% of websites tested need some performance tweaking. If you have spent money on making your website secure and you invest in PPC or SEO it is almost meaningless if your website does not perform.
Creative/Design agencies deal with design. They tend to have limited experience in performance or secure issues. We work with some of the blue-chip Ipswich and London agencies so that we can make their well designed websites secure and speedy. A beautiful synergistic design does not drive traffic!
Just to highlight what you can lose if you are attacked, please see BBC's Equifax article, high level institutional attacks, and Spambot.
Lastly, you can check haveibeenpwned.com/ to see if your email address has been ‘pwned’ on any breaches.
In summary, it is now the time to secure your website by getting it locked down. The 17th October could be a challenging date for many businesses if their potential clients are deterred from submitting enquiries due to forms on the website stating ‘Not Secure’.
Security is one of our main focus areas. We are happy to advise if you need urgent help.