SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
It's time to pick up the pace on HTTPS encryption, survey finds
Tue, 30th May 2017
FYI, this story is more than a year old

Less than half of internet sites support HTTPS, despite it being a 'must have' for all businesses, according to a new report from web optimisation provider SEMrush.

The company conducted data on 100,000 anonymous websites and 45% of them supported HTTPS. While the sample was small, many of them supposedly used the secure protocol.

9% of those websites still had insecure pages with password input fields - even though Google requires that any website that collects passwords should be encrypted.

The company says that even minor errors in HTTPS implementation can cost them in user security factors and Google attention.

Last year Google announced that as of January this year, Chrome started marking HTTP pages that collected passwords or credit cards as non-secure, as part of an effort to mark all HTTP sites as non-secure.

That implementation can come down to using mixed content, which means that browsers will warn users about loading insecure content, which can impact the user experience and user confidence. 50% of all analysed websites fell into that trap.

The company also found that 50% of websites that were moving to HTTPS still included errors through internal links to HTTP pages.

8% of analysed websites had an HTTP homepage that didn't match its HTTPS version. While this isn't much of a problem for those websites that support HSTS, those that don't could find that they encounter page competition, traffic loss and poor placement.

At the certificate level, 2% had expired SSL (Secure Socket Layer) certificate, and 6% of websites had a certificate registered to the wrong name. SSL certificates are used to make sure a connection between browser and server is secure, and also stops information from being stolen.

It's out with the old, as 3.6% of websites had an old security protocol, and SNI-related errors accounted for 0.56% of websites.

And it's in with the new: The study found that 86% of analysed websites didn't support HSTS (HTTP Strict Transport Security), although the technology is relatively new.