Our web security guru Steve has been getting all excited about a new website called TLS Report. Its already a massive hit amongst web administrators, now we think its time to share it with our blog readers too!
TLS Report tests the security of supposedly secure web services and gives them a grade and a score. The kind of security it tests is cryptographic, basically how hard it would be for an evesdropper to get hold of confidential information passing between your web browser and a website. That's different to other kinds of security, like not using the same password everywhere and not telling everyone that you collect diamonds as a hobby, but it is the basis for providing secure web services where you know that the website on the other end is the real deal, and that nobody in between you and the website can read what you're saying to each other.
TLS is actually the name of a protocol (Transport Layer Security) which browsers use to set up secure connections to websites. The first part of the protocol's job is to check that the website is really who it claims to be, and not a fraudulent phishing site (what's phishing?). This is done by checking the sites' certificates. To properly understand certificates, you need to understand something about how public key cryptography works, but basically they're digitally-signed documents from people we definitely trust saying "I know this website, and I say you can trust them too". If they check out, your browser can be sure this site is who it says it is. It is good practice to renew certificates regularly.
The next part of the protocol lets your browser agree with the secure website's server what kind of security to use - specifically what cryptographic cipher to use (what's a cipher?) and how to exchange keys (what's a key?). Most browsers support a variety of different ciphers and key exchange mechanisms, often including old and out of date ones which are no longer considered secure. Properly secure websites shouldn't offer to use these antiquated methods.
TLS Report checks the freshness and security of a sites' certificates, how up-to-date the ciphers and key exchange mechanisms are, whether the version of the TLS protocol itself is up to date, and whether the site meets the minimum requirements for some payments-related security standards. Then it gives the site a score.
Secure.alertme.com, where Alertme customers log in to their systems, ranks joint 3rd in the roll of honour with a grade A and a score of 82. Shop.alertme.com does equally well.
Is that good? Yes it is! Compare our score with some online banking web sites:
- LloydsTSB (online.lloydstsb.co.uk) - score B 78
- HSBC (www.hsbc.co.uk) - score C 64
- Barclays (ibank.barclays.co.uk) - score C 67
- Natwest (www.nwolb.com) - score C 61
- RBS (www.rbs.co.uk) - score D 54
There's some debate as to how TLS Report awards its grades, and the banks are sure to improve - that's really the point of TLS Report - but congratulations to Steve and his team!