The Malta Independent on Sunday
Maltapark trumps most banks, eGovernment gets an F
How secure is a secure website?
Anyone who has ever shopped online, used internet banking or simply used social networking websites may have noticed a little padlock icon next to the site’s URL, or the https:// prefix highlighting that the website is secure. But not all secure websites offer the same protection.
What the ‘https’ implies is that the http protocol – the foundation for data communication over the internet – is layered over a secure protocol: traditionally the secure sockets layer (SSL), but this has since been superseded by the transport layer security (TLS) protocol.
As the shift from SSL to TLS suggests, securing communication online requires continuous updates: the discovery of flaws that can be exploited by hackers can make short work of a system that was previously considered secure. When the existence of the Heartbleed security bug was disclosed in April 2014, for instance, it was estimated that 17 per cent of the internet’s certified secure web servers were vulnerable to attack.
With this in mind, The Malta Independent on Sunday has measured up various Maltese secure sites – as well as a number of
their foreign counterparts for good measure – using an online test that determines the robustness of secure websites.
The test used can be found on ssllabs.com, and is run by USbased Qualys, one of the leading companies in the field of network security, whose client base includes many of the world’s largest companies.
The results, as it happens, produced a number of surprises.
Running the test
The test scores secure websites in four areas: their certificate, protocol support, key exchange and cipher strength, with 100 being the maximum score possible, but sites are also given an overall grade ranging from A+ to F.
This overall grade does not necessarily reflect the average score, as the grade may be capped or reduced if certain weaknesses are found, or even upgraded as the result of certain security features, in which case an explanation is provided.
Drawing up a comprehensive list of Maltese-based secure sites is perhaps unfeasible, so TMIS ended up testing five banks with internet banking facilities, five gaming websites, three telecom companies, two online selling platforms, two government websites, Air Malta and MaltaPost.
Fourteen international websites were also tested to provide some context to the performance of Maltese websites.
None of the Maltese websites tested achieved an A+ grade, while three of the international websites did. These three are social networking site Twitter, crowdfunding site Kickstarter and, perhaps unsurprisingly, ssllabs.com itself. But not even ssllabs.com achieved a perfect score – it received an average score of 93.75, as did the other A+ websites.
B is for banks, except for Banif
The best-performing Maltese website was the internet banking service of Banif Bank (Malta), which received an A grade and an average score of 94.25, the highest overall score among all the websites tested.
Apart from Banif, the internet banking platforms of four other local banks tested – APS, BOV, HSBC and Lombard – all received a B grade. Curiously, BOV’s website actually received an A- grade, with an average score of 93.75, but its internet banking platform received a lower grade.
Curiously, all four banks were bested by a far more modest local operation: trading platform Maltapark.com. The website can claim to be one of Malta’s most secure websites, with an A grade and an average score of 91.25: an identical score to that received by Amazon.com.
All other local gaming companies received a B grade with the exception of Unibet, which asked ssllabs.com not to test it. UK-based online betting company bet365 similarly earned itself a B.
Malta’s telecom suppliers – Go, Melita and Vodafone Malta – all received a B grade, with Vodafone earning an average score of 93.75 while its competitors received an average score of 85.
Air Malta also received a B grade, with an average score of 93.75, comparing favourably with direct competitor Ryanair, which received a B grade and an average score of 87.5.
F is for eGovernment
But while a respectable B appeared to be the most common grade for Maltese websites, not every website made the cut, with three receiving an F due to a weakness that Qualys deemed to be critical, even though their average score was actually 70.
Two of them are government websites: gov.mt itself and the eGovernment portal, mygov.mt, which were deemed to be vulnerable to man-in-the-middle (MITM) attacks. In MITM attacks, attackers secretly relay – and possibly alter – communication between two parties who believe that they are directly communicating with each other.
Maltapost’s own website, however, also received an F because its server still supports the outdated SSL 2 protocol, which was defined in 1995 and superseded by SSL 3 a year later, and deemed “obsolete and insecure” by Qualys.
Compatibility concerns keep grades down
It is easy to suggest that working towards an A+ grade is the ideal scenario, but this may not be the most practical solution for commercial companies.
In most cases, in fact, companies were denied an A grade or higher because of their use of older standards, which ensure compatibility with clients using older software.
Companies which received a B grade tended to fall under three categories. Some were limited to one due to their support of the SSL 3 protocol, which ensures compatibility with clients using older software. Others were capped to a B for failing to support the newest protocol, TLS 1.2, or for accepting the “weak” RC 4 cipher, which also helps ensure greater compatibility.
And many of these concerns do not affect users who use newer software, which often automatically uses the latest – and more secure – standards and disables the older ones.
So for the vast majority of users, most websites – even Maltapost’s own – are actually as secure as “A” websites. SSL 2, for instance, has been disabled in most browsers that have come out in the past eight years or so.
That said, of course, keeping a website secure is an ongoing struggle: all it takes is the discovery of an exploit to turn an A into an F.