Over the past few years, Google has gradually improved how Chrome communicates the connection security of HTTP (Hypertext Transfer Protocol) pages by marking some as “not secure.” These pages include all those that have data-entry fields such as a password or credit card field and all HTTP pages visited in Incognito mode.
Now, with the impending release of Chrome 68 in July 2018, Google will mark all HTTP sites, regardless of content or form fields, as NOT SECURE. To avoid losing traffic as well as the reputational damage these messages inflict, organizations need to identify all websites they own using HTTP across their digital footprint and upgrade them to HTTPS (Hypertext Transfer Protocol Secure). Unfortunately, many of these sites exist outside the knowledge of web, marketing, and IT security teams.
This is a significant task for organizations–HTTPS has been around for years but is only now becoming the standard baseline for internet security, so many may be behind. When RiskIQ examined data from ten of our Digital Footprint customers that happen to be large financial institutions, while there was variation in the size of each digital footprint, all ten had noticeable security flaws related to their SSL certificate hygiene.
To get ahead of Chrome 68 in time for its rollout, security teams need to be asking themselves the following questions:
- Where are all of my organization's insecure websites that are using HTTP?
- Where are all of my organization's websites that do not redirect to a URL using HTTPs?
- What websites does my organization have that does not utilize HTTP Strictansport Security (HSTS)?
Traditionally, getting answers to these questions has been challenging, but with the power of internet-scale data from RiskIQ, it no longer has to be. With RiskIQ Digital Footprint, organizations can identify all the offending websites that are utilizing HTTP and change them so that they only use HTTPS.
For current customers using Risk IQ Digital Footprint, the answers to these questions are as easy as copying and pasting these queries into your Digital Footprint Asset Search:
Show all insecure websites:
Status in ("Confirmed") | Type in ("Web Site") | HTTPS in ("No")
Show all insecure websites that do not redirect to a secure web page:
Status = "Confirmed" | Type = "Web Site" | Final URL HTTPS = "No"
Show all insecure websites that do not force a secure connection:
Status in ("Confirmed") | Type in ("Web Site") | Affected Security Policies in ("strict-transport-security") | HTTPS in ("No")
Digital Footprint users can also create an Insight that will be featured on their Insights Dashboard by clicking Save, naming the insight, and choosing “Add to Insights.”
Once you have an accurate picture of your digital footprint, it is far easier to understand and implement mitigation techniques to ensure that all of your external assets, and customers, are protected. This inventory of your assets is also critical for compliance with numerous industry regulations.
If you would like more information about RiskIQ Digital Footprint Enterprise can help you with the rollout of Chrome 68, call us at 888-415-4447 or email us at email@example.com.