iTnews
  • Home
  • News
  • Technology
  • Security

Aussie corporate and government websites with poor HTTPS redirects outed

By Staff Writer on Jul 25, 2018 2:08AM
Aussie corporate and government websites with poor HTTPS redirects outed

Coincides with release of Chrome 68.

Security researchers Troy Hunt and Scott Helme have published a list of the largest websites by country that are not redirecting HTTP requests to a more secure HTTPS connection.

The list, maintained at WhyNoHTTPS.com, names sites by the ABC, Bureau of Meteorology, AFL, Home Affairs and Immigration among the top local sites that load “over an insecure connection without redirecting to a secure, encrypted connection.”

Apart from government sites, Australian university-run sites also rank poorly in terms of HTTPS implementations.

The creation of the list coincides with Google shipping Chrome 68 which marks all HTTP sites as “not secure” - part of a long-term drive by Google to stamp out unencrypted web connections.

Hunt said in a blog post that he wanted to know which site owners had not heeded months of warnings from Google and others to serve traffic via the more secure HTTPS protocol.

“After all the advanced warnings combined with all we know to be bad about serving even static sites over HTTP, what sort of sites are left that are neglecting such a fundamental security and privacy basic? I wanted to find out,” he said.

The site reuses a portion of data collected by Helme on whether top ranking sites redirect any insecure requests (made over HTTP) to the secure HTTPS scheme.

One important thing to note is that WhyNoHTTPS.com lists sites that inconsistently redirect non-secure requests to an HTTPS site.

Home Affairs’ implementation of HTTPS fell into this category, with the success of the redirect varying user by user.

Hunt said that anomalies in the way different sites redirected insecure requests caused problems for the researchers in determining how to categorise them.

However, they ultimately decided that “if a site isn't doing HTTPS consistently right, then it may end up on the list and if you're responsible for one of those, the best way to get it off the list is to always redirect insecure requests to secure ones under all circumstances.”

Hunt said the intention is to continue to update the WhyNoHTTPS.com list on a regular cadence.

“That's still the plan, but it's not happening yet,” he said.

He hoped the exercise would put pressure on the named sites “to get their HTTPS things in order”.

“I really want to see the ‘reformed’ sites drop off,” he said, adding that the eventual goal is to have any sites shamed on the list to only be poorly ranked ones anyway.

The publishing of the list resulted in a large number of requests from site owners for manual rechecks of their HTTPS implementations.

Hunt said via Twitter that any sites that had been fixed would be recognised when the underlying data is next updated.

Not all Australian government sites were caught out by the Chrome change. Parts of the government had used the Chrome update as an excuse to improve website security practices.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
httphttpsredirectscott helmesecuritytroy huntwebsite

Partner Content

Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
The Great Resignation has intensified insider security threats
Promoted Content The Great Resignation has intensified insider security threats
Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like
Why Genworth Australia embraced low-code software development
Promoted Content Why Genworth Australia embraced low-code software development

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • Micro Focus Information Management & Governance (IM&G) Forum 2022
  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
  • Forrester Technology & Innovation Asia Pacific 2022
By Staff Writer
Jul 25 2018
2:08AM
0 Comments

Related Articles

  • Australian gov agencies largely kick HTTP connections
  • The government websites that still aren't 'secure'
  • ASD creates CISO role in REDSPICE hiring blitz
  • Threat actors abuse penetration testing tool for attacks
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Australia scraps digital passenger cards for international arrivals

Australia scraps digital passenger cards for international arrivals

PayTo rollout kicks off

PayTo rollout kicks off

Neobank Volt exits the banking industry

Neobank Volt exits the banking industry

Westpac sets sights on hybrid meeting spaces

Westpac sets sights on hybrid meeting spaces

Digital Nation

Case Study: Multicloud business drivers at MLC Life Insurance
Case Study: Multicloud business drivers at MLC Life Insurance
Case Study: Good360 deploys NetSuite, Magento and Salesforce
Case Study: Good360 deploys NetSuite, Magento and Salesforce
Case Study: EY invests in AI to improve approach to flexible working
Case Study: EY invests in AI to improve approach to flexible working
Personalisation strategies need to be built from the ground up
Personalisation strategies need to be built from the ground up
Case study: AFL kicks goals with its new digital platform
Case study: AFL kicks goals with its new digital platform
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.