After BA Hack, We Need To Improve Web Security

After BA Hack, We Need To Improve Web Security

How can it happen that 100,000s of thousands of people could have had their credit card details breached? The word is that was due a compromise in the Web/App code. This should not happen at this scale. Recently the Web pages for the ICO was found to be running crypto mining software, as a third party JavaScript script application had been breached.

So how does a company overcome the risk of cross-site scripting or certificate hi-jacking on your Web sites? … Implement CSP and X-headers. Luckily Scott Helme provides a web site which scans for CSP and X-headers, and ba.com gets a D grade:

Improving Web security

Overall the Web focuses on a same-origin policy, where the script contained in one origin is only permitted to access data within that origin, and thus each origin is isolated from others. Unfortunately, this overly restricts developers, along with attackers using clear tricks to inject malicious code from other domains. Many media sites often, too, use content and scripts from other sites and would struggle to support content which restricted them to their own site.

The integration of code from other sites can lead to the problem of cross-site scripting (XSS) attacks, as the code within the Web page is often full trusted. Within CSP we thus have a number of methods that protect against XSS. With this CSP supports multiple policies for a resource, either in a Content-Security-Policy header or within the <meta> element, such as:

Content-Security-Policy: default-src https:

<meta http-equiv="Content-Security-Policy" content="default-src https:">

We are extremely lucky to collaborate with some really smart people, and two we love working with are Prof Alan Woodward and Scott Helme. Over the past year, with the help of Scott, we have been scanning the top one million sites on the Internet, and discovered their adoption of enhanced security for their Web sites.

Here is a research paper on the subject [here].

With the increase in the number of threats within Web-based systems, a more integrated approach is required to ensure the enforcement of security policies from the server to the client. These policies aim to stop man-in-the-middle attacks, code injection, and so on. The paper analyses some of the newest security options used within HTTP responses, and scans the Alexa Top 1 Million sites for their implementation within HTTP responses. These options scanned for include: Content Security Policy (CSP); Public Key Pinning Extension for HTTP (HPKP); HTTP Strict Transport Security (HSTS) and HTTP Header Field X-Frame-Options (XFO), in order to understand the impact that these options have on the most popular Web sites.

In the paper, we’ve taken the top one million sites (from Alexa.com) and then grouped into groups of 4,000, and we can see that the adoption of the headers generally falls as we move down the rankings (and which scanned up to Aug 2017):

Perhaps not surprisingly the adoption of Let’s Encrypt certificates increases as we move down the popularity rankings:

For the adoption of the new headers, we still see poor adoption, with CSP rising in adoption, but still less than 2% of all the sites:

HTTPS adoption is, though, rising fast and sites at nearly 25% of the top one million sites. Certificate public key pinning (PKP) is particularly poorly adopted with less than 1% of the sites using it. You will find it you try to connect to YouTube on a train, you will see an example of YouTube being blocked, as an intermediate entity has tried to replace the certificate.

In the paper we have developed a scoring system for the adoption, and, at May 2017, the major of sites gained an F grade:

Grade %

   A+ 0.0071%

   A 0.1003%

   B 0.2318%

   C 3.2153%

   D 5.6908%

   E 8.0063%

   F 82.7401%

Conclusions

So the industry has problems with hacking, especially in cross-site scripting. And you give them the solution … CSP and X-frame headers … but it doesn’t adopt them. Well, Google is on a track to make sure that the industry improves, and will start to make Web sites as being secure if they are exposed to risks … so you’d better get your CSP and X-headers integrate. And, we are on a track to 100% HTTPS, so get that certificate integrated.