Why do all websites need security? Online security is deeply entrenched in most regular web users’ psyche. We’re all aware that online scams happen, we’ve all received emails from the nephew of the King of Nigeria who wants to offload $500,000,000 into our current accounts and we all know that our data is being monitored and harvested for marketing and security purposes. We’re a suspicious and wary bunch, and so we should be. Automated technology is open to abuse from ne’er-do-wells so we do have a responsibility to make sure our online activities are safe and secure.
However, businesses, organisations and web developers also have a responsibility to protect us online and ensure the resources they provide are going to protect our personal data from theft and abuse.
An article on the BBC website on 24th July 2018 reported on the findings of Troy Hunt that some high-profile global websites have still not secured their websites with an SSL certificate. For those who don’t know, an SSL encrypts any data that a web user may enter into a web page, such as log in details, so it can’t be stolen by hackers. You can recognise a site secured with an SSL as the URL begins with https://.
Troy Hunt found that some of the UK’s leading websites do not have this basic level of security including, at the time of writing (27th July 2018), some top level educational institutions such as Oxford University, Imperial College, LSE and Manchester Uni. More worryingly, at first sight, websites for tech companies such as Vodaphone, Virgin Media and Three are also not protected by SSLs. Similar, is William Hill which is not fully secure.
The BBC article was, in fact, prompted by Google Chrome’s latest update that it flags up sites as ‘Not secure’ if no SSL is present on the site. However, the article is a little misleading. While earmarking Argos and Sky Sports as culprits for being ‘Not secure’, Troy Hunt’s website Why No HTTPS? lists websites that load insecurely, which is different to ‘being insecure’. Most websites tend to load on the home page and it’s correct that the sites listed are not loading in a protected browser but it’s also correct that these pages don’t require users to enter any personal information. If you visit Topshop or New Look there are no SSLs on the home pages or product pages but if fill your basket with shopping and go through the checkout process, you will then see the familiar little green padlock that indicates your personal data is being encrypted.
This is the way things used to be done as there was no requirement to have encrypted protection on pages that just gave information and only pages where personal or credit card details were entered by users needed an SSL. What may have occurred here is that a number of companies may have not updated some elements of their websites since GDPR kicked in at the end of May. One of the requirements was that all pages on websites should be protected by an SSL. Apart from the obvious security reasons, its also about customer confidence. Big brands that do not provide site-wide encryption are at risk of causing consternation amongst online customers. Besides, adding an SSL is a pretty easy thing to do.
I imagine that all of the listed sites will eventually get round to updating their websites but there may be a way to go. Troy obtained his data from a security associate, Scott Helme, and by his reckoning as of January 2018 only 40% of the top one million websites globally have applied encryption.
To conclude, another high-profile website found guilty is The Daily Mail’s web-based offering, the Mail Online. I’m more worried about the histrionic hyperbolic content of the site than having my personal data stolen. 😉