19 Jun 2018
We teach our kids not to talk to strangers, something we learned ourselves as children. Even as adults, we use caution and common sense if approached by an unknown person on the street.
But what about on the internet? Are we being equally careful with virtual strangers we meet there? At least initially, every exchange and everything we do online should be considered a ‘stranger’ encounter.
That’s because when we connect online, we aren’t speaking face-to-face or stepping into an office, something that in the real world allows us to know whether we are interacting with a stranger or not.
But how often, when conducting business with a bank or some other entity’s website, do we confirm their identity by making sure the website is using TLS?
A website that’s not secured using a TLS certificate might as well be the stranger your child is taught to avoid on the playground. It’s not okay in the real world, and it’s equally unsafe online.
That’s why, whenever we transact online, we need to verify that the server we are communicating with has a certificate issued by a trusted Certification Authority (CA). Similarly, if we are the organisation, we need to use TLS certificates to clearly identify ourselves and to protect the data transmitted.
Luckily, internet industry players are beginning to realise this and are pushing for more strict rules regarding such trust services. For example, the next version of the Chrome browser (v.68 July 2018) will display a warning anytime you visit a site that does not use TLS certificates.
That’s good news because a recent study by DarkMatter found a serious lack of web server security. We scanned 180 websites across 11 industries in the UAE and found that almost 50% of these organisations’ main websites were not secured with TLS certificates.
Even in the regulated and high-target banking and finance sector, only slightly more ie. 60% of main websites were secured with TLS certificates.
The industry is also pushing for the use of TLS certificates with high assurance levels, such as Extended Validation or Organisation Validated certificates, that also ensures the validation of the organisation operating the web server. Simple Domain Validated TLS certificates do not suffice to identify the web server and organisation.
So, I offer two suggestions:
For individuals … don’t talk to strangers:
– Verify the identity of the website you’re connecting with by checking its TLS certificate that identifies not just the web server, but also the organisation that you are communicating with.
– If you’re on a website without certificates, be careful and never share sensitive information.
For companies, governments and other entities … don’t be the stranger:
– Deploy a TLS certificate for your website so users can confidently identify it and your organisation.
– Make sure to enrol for TLS certificate from a publicly trusted CA.
– Use Organisation Validated or Extended Validation TLS certificates.
– Use TLS to secure your traffic against eavesdropping and to lower the likelihood of being attacked.
About the author
Mats Rosberg is Senior Manager (Trust Services) at DarkMatter. Click here to connect with Mats on LinkedIn