A majority of the top 1 million websites earn an “F” letter grade when it comes to adopting defensive security technology that protect visitors from XSS vulnerabilities, man-in-the-middle attacks, and cookie hijacking.
The failing grades come from a comprehensive analysis published this week by the Mozilla Foundation using its Mozilla Observatory tool. According to a scan of Alexa ranked top 1 million websites, a paltry 0.013 percent of sites received an “A+” grade compared to 93.45 percent earning an “F”.
The Observatory tool, launched last year, tests websites and grades their defensive posture based on 13 security-related features ranging from the use of encryption (HTTPS), exposure to XSS attacks based on the use of X-XSS-Protection (XXSSP) and use of Public Key Pinning which prevents a site’s use of fraudulent certificates.
The silver-lining to the bad grades is that in the year since the Observatory tool began grading sites, security has improved. Compared to scans conducted between April 2016 and June 2017 the percentage of sites earning a “B” have jumped 142 percent and those earning a “C” have increased 90 percent.
“It’s very hard if you’re just someone running a website to make it secure,” said April King, staff security engineer at Mozilla and developer of the Observatory tool. “There are so many different security standards. The documentation for those standards are scattered all over the place. There are not a lot of single resources that are telling you straight-up what you need to do.”
King said she is encouraged at the pace of improvement when it comes to specific defensive tools. For example, the percentage of sites that support HTTPS has grown 36 percent in the past year. “The number might seem small, but it represents over 119,000 top websites,” she told Threatpost.
Other security wins include a 125 percent increase in the number of sites that have adopted Content Security Policy (CSP), a browser feature that fends off Cross Site Scripting (XSS) and data injection attacks. Another win has been a 117 percent increase in adoption of Subresource Integrity (SRI), a verification feature that ensures when a browser fetches resources from third parties, such as a content delivery network, the content is not manipulated in transit.
However, despite triple-digit growth in both CSP and SRI adoption, still less than one percent of sites still have adopted these security features.
King concedes that achieving a secure website configuration, using all the available technologies developed in recent years by browser makers, is not easy.
“I’m extremely optimistic. With tools that are free and easy to use, like Observatory, we can begin to see a common framework for building websites. This type of tool is pushing awareness back into the tool chain and making it very easy for people to implement,” King said.
King likens Observatory to Qualys SSL Labs’ SSL Server Test, a free tool that analyses the configuration of SSL web servers. Observatory goes way beyond checking a website’s TLS implementation and checks for 13 different web security mechanisms. The scoring system is based on a 0 to 100 point scheme. Scores don’t just check for the presence of any given technology, but the correct implementation as well.
Observatory is a tough grader, King said, because it’s designed to be a teaching tool to help administrators across the industry “become aware of the myriad technologies that standard bodies and browser companies have designed and implemented to improve the safety of the internet’s citizens.”
“The fact that so many new sites have started using these technologies recently is a strong sign that we are beginning to succeed in that mission,” she said.