We analyzed 2,600+ online shopping domains for SSL misconfigurations. We have good news… and bad news.
Every website should ensure that the communication between its servers and its users is encrypted. This is particularly important for online shopping and e-commerce platforms, which handle sensitive customer information like authentication credentials, credit card numbers, banking data, and other payment details.
And with Black Friday, Cyber Monday, and the holiday shopping season just around the corner, ensuring adequate security and encryption standards is even more essential due to a raging pandemic that placed more shoppers online than ever before.
With that in mind, we at CyberNews decided to see if popular online shops take their encryption hygiene seriously. To do this, our Investigation team analyzed the web servers of 2,620 popular online shopping domains for SSL configuration security, as well as their susceptibility to known vulnerabilities related to the Secure Sockets Layer (SSL) encryption protocol.
We found that even though the absolute majority of online shops follow excellent to good SSL configuration practices in general, almost a third of the web servers we analyzed are susceptible to known SSL vulnerabilities, with the BEAST vulnerability being the most widespread among online shops.
BEAST (short for Browser Exploit Against SSL/TLS) is an attack that allows a threat actor to access the data exchanged between a web server and the user’s web browser. For online shoppers, this would include authentication tokens, payment information, and more. In other words, not something you’d want to hand over to your local cybercriminal.
About this investigation
In order to carry out this investigation, we gathered a list of the top 2,620 online shop domains on Google search. We then tested them for their SSL web server configuration security and their susceptibility to six known high-severity SSL vulnerabilities by using the Qualys SSL Server Test service.
Here are the results.
The good news: Most online shopping servers have good SSL configurations
To assess the SSL server configuration security of the 2,620 domains we collected, we used the SSL Server rating system by Qualys SSL Labs. In short, this rating is calculated by analyzing a web server’s SSL certificate, and then inspecting the server’s configuration for protocol, key exchange, and cipher support. The scores for each are then combined to calculate the final SSL server rating score, which is expressed as a letter grade.
With that in mind, here’s what we found when we analyzed the top 2,620 online shopping domains for their SSL configurations:
As we can see, a whopping 99% of online shopping servers have excellent to good SSL configuration grades. On the other hand, only 27 out of 2,620 servers have what might be considered less than stellar SSL configurations.
Naturally, A+ is what every server owner should aim for.
With that said, grades like A and B don’t raise any tangible security concerns. Fortunately, the bottom three grades, which would indicate actual security issues, make up only about one percent of the grand total.
While such an enviable standard of encryption hygiene in online shopping should be a cause for celebration, the story of our analysis doesn’t end here. After all, it’s 2020, and no barrel of good news comes without its spoonful of… well, less than good news.
The bad news: Online shopping servers susceptible to BEAST, POODLE, and DROWN vulnerabilities
When performing our SSL configuration analysis, we also tested the online shopping servers for six known SSL vulnerabilities, including BEAST, POODLE, and DROWN, which might allow cybercriminals to carry out SSL-based attacks against the online shops and their users.
We decided to test for those vulnerabilities in particular because they are well-known, have been discovered long ago, and already have patches released for them, putting the responsibility for the existence of such security holes squarely server-side.
Unfortunately, it seems that even good SSL server ratings don’t make web servers impervious to certain common vulnerabilities.
Here’s what we discovered when we analyzed the servers of 2,620 shopping domains for known SSL vulnerabilities:
- 29.5% of web servers are vulnerable to the BEAST attack
- 0.6% of web servers are susceptible to the POODLE attack
- 0.08% of web servers have the DROWN vulnerability
Shockingly, almost a third of the web servers we analyzed were susceptible to the BEAST vulnerability, which allows threat actors to steal personal user information, session tokens, and more.
It appears that the BEAST attack is still a threat, which is a phrase we didn’t think we’d be uttering in 2020.
While it’s at least nine years old, only affects older versions of SSL and TLS protocols, and is relatively difficult to execute, the prevalence of this vulnerability is nonetheless very alarming. An attacker who identifies a web server that still uses an older TLS version may be able to decrypt and intercept the data that is exchanged between the server and its users, which means that anyone shopping on a vulnerable server that is being exploited by BEAST can have their payment data and other personal information stolen.
The main reason for this is the fact that many web servers still have the outdated TLS 1.0 protocol enabled, presumably due to misconfigurations.
How can these websites fix the BEAST vulnerability? By simply disabling TLS 1.0.
…Which is something that almost one in three teams responsible for securing those web servers have apparently overlooked.
On the other hand, only 17 out of the 2,620 shopping domains were vulnerable to the POODLE attack. This exploit affects SSLv3 and allows an attacker to read encrypted communication between the server and the client. In the context of online shopping, this means that malicious actors could steal the shoppers’ online payment data, session cookies, personal information, and more.
Our analysis also found that a mere 2 out of the 2,620 shopping domains were susceptible to the DROWN vulnerability that enables the attacker to break server encryption and steal personal data, session cookies, and more.
We also tested the shopping domains for Heartbleed, FREAK, and Debian flaws. Thankfully, none were susceptible to those.
Needless to say, finding that so many are websites still vulnerable to such ancient security issues was not on our list of expectations. Especially after being so pleasantly surprised by the omnipresent positive SSL configuration grades. This only goes to show how encryption security is still a major blind spot for businesses.
Even with the increasing focus on cybersecurity in recent years, old attacks like the BEAST vulnerability are still a major problem. Sadly, it seems that even good encryption hygiene does not guarantee immunity to known high-severity vulnerabilities, which is a lesson that network administrators should take to heart. Because if nobody does, the upcoming shopping season might not only prove to be the biggest, but also the scariest.