Security teams and website operators can use this to evaluate the cryptographic posture of their own sites and even bake it into their DevSecOps workflows for fully automated HTTPS auditing. In order to collect the data for this report, we have continued to develop our own TLS scanning tool, Cryptonice, which is now free and open source. Attackers have learned how to use TLS to their advantage in phishing campaigns, governments worldwide seek to subvert encryption to their benefit, and fingerprinting techniques raise questions about the prevalence of malware servers in the top one million sites on the web. On top of that is the potential use or abuse of web encryption for malicious purposes. Websites that routinely fail to follow TLS best practices are also found to be running old (and likely vulnerable) web servers. Attackers know there is a correlation between poor HTTPS configurations and a vulnerable web server. 1Īs this report shows, the issue is not so much the lack of adopting new ciphers and security features but the rate at which old and vulnerable protocols are removed.
In fact, Transport Layer Security (TLS) and HTTPS misconfigurations are now so commonplace that in the 2021 OWASP Top 10, Cryptographic Failures now comes in second place. As old protocols prove to be insecure and new standards emerge, it has never been more important to keep HTTPS configurations up to date.
Creating an encrypted HTTPS website depends on a lot more than simply throwing a digital certificate at it and hoping for the best.
0 kommentar(er)
