Scoring v3.0 Severity: Low
Factor: Application Security
Summary
The Issue type Site does not enforce HTTPS (domain_missing_https_v2) identifies the HTTP url which are not redirecting to their HTTPS counterpart using server-side redirection (HTTP 30X response status codes).
Description
HTTPS (Hypertext Transfer Protocol Secure) is a secure version of HTTP, the protocol used for transmitting data between a user's web browser and a website's server. It uses encryption and authentication mechanisms to improve the security of data being exchanged.
Risk
Not enforcing HTTPS poses significant dangers to the security and integrity of online communication. Without it, sensitive data exchanged between users and websites is susceptible to the following:
- Interception by malicious actors. This could lead to breaches and unauthorized access.
- Identity spoofing. Attackers impersonate legitimate sites to trick users into providing confidential information.
- Data tampering. This enables attackers to change data or add malicious content.
It can also result in trust issues. Modern browsers warn users about insecure connections that can undermine the credibility of the website. Additionally, search engines penalize non-HTTPS sites, affecting their rankings and visibility, and reducing their ability to compete in online searches.
Recommendation
It's highly recommended to implement HTTPS across all web communications.
- Get an SSL/TLS certificate for the website to enable secure connections.
- Make sure it's properly configured and up-to-date.
- Update all internal and external references to use the "https://" protocol and set up automatic redirects from HTTP to HTTPS to ensure a seamless transition for users.
- Regularly monitor and audit the security configuration to promptly detect and address any vulnerabilities.
- Employ security best practices such as HTTP Strict Transport Security (HSTS).
Additional Information
The severity in Scoring 3.0 is Low. It is based on breach risk and determined by SecurityScorecard based on SecurityScorecard data using ML/AI. See Scoring Methodology Whitepaper
The Age-Out/Decay period is 45 days since the last observation date.
Client Side redirection (using meta refresh, javascript, HSTS) is not an accepted remediation.
Self testing
You may validate the redirection to HTTPS offered by the Final URL using the following 3rd Party tools. All can be used to confront contradictory results. However when comparing results, ensure that the endpoint scanned by each is exactly the same information and matching the SecurityScorecard finding Final URL.
- Using Google Chrome Developper Console:
In the example below, a request to http://radio.garden respond with a HTTP Status code of 200. There is no server redirection, a finding will be raised on the platform.
In the example below, a request to http://securityscorecard.com respond with a HTTP Status code of 301. There is a server redirection, a finding will not be raised on the platform.
- Redirect-Checker https://www.redirect-checker.org/
- WhereGoes https://wheregoes.com/
Warning: You may encounter HTTP 307 Internal Redirect during your testing. Check the Non-Authoritative-Reason which indicates if HSTS is the cause of the redirect to HTTPS. HSTS is a client side redirection and is not accepted as a remediation for Site does not enforce HTTPS findings.
Remediation
SecurityScorecard allows the removal of findings if either of the following is true:
- Endpoint configuration has been changed, redirection to HTTPS endpoint via Server-side redirect (HTTP 30X Status code) is now in place.
=> Select the finding and then click on the "Fixed" button, "technical_remediation". - The endpoint has been closed and therefore not offering any HTTP endpoint.
=> Select the finding and then click on the "Fixed" button, "technical_remediation". - After verification (using the methods above for example), the endpoint defined in the finding does redirect via HTTP 30X in the contrary of what SecurityScorecard is stating.
=> Select the finding and then click on "Other resolutions" --> "I cannot reproduce this issue and I think it’s incorrect", "false_positive". -
Bot detection is in place causing the scanner to not detect the redirection.
=> Select the finding and then click on "Other resolutions" --> "I have a compensating control", "compensating_control".
Note: If the server-side redirection to HTTPS cannot be implemented (for example the configuration of the endpoint cannot be changed due to business requirements, the service doesn't provide this feature, this environment separated from the rest of your corporate network), We still require the redirection to HTTPS to be present on all URLs that are available on the Public Internet. We also understand that this might not effect the organization directly, but if bad actors were to succeed in launching a MiTM attack, the client browser can then be served malicious content by manipulating the contents of the page. This can in turn damage an organizations reputation. See Why we require HTTPS for all sites.
In those cases, It is SecurityScorecard policy that the finding remains as-is, and you can add a Public Issue Comment to provide context to anyone following your scorecard. See https://support.securityscorecard.com/hc/en-us/articles/360056396471-Commenting-on-Issues for more information.