Cryptography across industry sectors

ABSTRACT Security adoption varies across industry sectors, where some companies such as Google, Apple and Microsoft are strong advocates of the adoption of HTTPS, while other companies, especially for news sites, have weak adoption. This paper provides a sample analysis of the Top 500 Websites within Alexa Top 1 Million sites for industry sectors, and analyses their HTTP responses, such as in the cryptography methods used and the usage of Content-Security-Policy. It concludes that the adoption of security is strongest within Computers industry sector, while it is much weaker within News and Sports. The paper also shows that the most popular method for creating a Secure Socket Layer tunnel is Elliptic Curve Diffie–Hellman with RSA for the key exchange, 256-bit AES GCM for the encryption of the stream and 384-bit SHA for hashing. It does highlight worrying signs of the usage of well-known weak cryptography methods, such as for Diffie–Hellman, RC4, MD5 and DES. With the adoption of the Let’s Encrypt digital certificate, the paper shows that the industry sector that has most traction is in Adult sites, and its adoption is much lower in more business-focused industry areas.

[1]  Danny Bradbury Digital certificates: worth the paper they're written on? , 2012 .

[2]  Al-Sakib Khan Pathan,et al.  Mitigating Cross-Site Scripting Attacks with a Content Security Policy , 2016, Computer.

[3]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[4]  Alexander Brotman,et al.  SMTP Strict Transport Security , 2016 .

[5]  Vyas Sekar,et al.  Shedding Light on the Adoption of Let's Encrypt , 2016, ArXiv.

[6]  Chris Palmer,et al.  Public Key Pinning Extension for HTTP , 2015, RFC.

[7]  Matthew Green,et al.  Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice , 2015, CCS.

[8]  Adi Shamir,et al.  A Practical Attack on Broadcast RC4 , 2001, FSE.

[9]  Ming Ying,et al.  CSP adoption: current status and future prospects , 2016, Secur. Commun. Networks.

[10]  Alistair A. Young,et al.  Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) , 2017, MICCAI 2017.

[11]  Bodo Möller,et al.  This POODLE Bites: Exploiting The SSL 3.0 Fallback , 2014 .

[12]  Björn Stierand,et al.  Content Security Policy , 2016 .

[13]  Thai Duong,et al.  Practical Padding Oracle Attacks , 2010, WOOT.

[14]  Marya Ostrowski A little privacy, please , 2002 .

[15]  Sadie Creese,et al.  Investigating the leakage of sensitive personal and organisational information in email headers , 2015, J. Internet Serv. Inf. Secur..

[16]  Xabier Larrucea,et al.  Mass surveillance and technological policy options: Improving security of private communications , 2017, Comput. Stand. Interfaces.

[17]  Turgay Korkmaz,et al.  Analyzing Response Time of Batch Signing , 2009, 2009 Proceedings of 18th International Conference on Computer Communications and Networks.

[18]  David Ross,et al.  HTTP Header Field X-Frame-Options , 2013, RFC.

[19]  Jeff Hodges,et al.  HTTP Strict Transport Security (HSTS) , 2012, RFC.

[20]  Al-Sakib Khan Pathan,et al.  Preventing persistent Cross-Site Scripting (XSS) attack by applying pattern filtering approach , 2014, The 5th International Conference on Information and Communication Technology for The Muslim World (ICT4M).

[21]  Mariacarla Calzarossa,et al.  Analysis of Header Usage Patterns of HTTP Request Messages , 2014, 2014 IEEE Intl Conf on High Performance Computing and Communications, 2014 IEEE 6th Intl Symp on Cyberspace Safety and Security, 2014 IEEE 11th Intl Conf on Embedded Software and Syst (HPCC,CSS,ICESS).

[22]  Phuoc Tran-Gia,et al.  An HTTP web traffic model based on the top one million visited web pages , 2012, Proceedings of the 8th Euro-NF Conference on Next Generation Internet NGI 2012.

[23]  J. Alex Halderman,et al.  Towards a Complete View of the Certificate Ecosystem , 2016, Internet Measurement Conference.

[24]  Sebastian Lekies,et al.  CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy , 2016, CCS.