After I finished the analysis of SSL/TLS configuration of almost 1400 internet banking portals (see the relevant ISC Diary, a question came to me. Internet banking portals should be among the best secured systems put online, yet not all of them made the mark when it came to encryption used to secure HTTP traffic. Would the situation be even worse for sites which are commonly assumed to lack proper security measures?
Websites with adult content seemed to be the ideal starting place to determine this, so I tried to look for a list of the most popular ones. Contrary to my expectations, I wasn’t able to find any current list with more than “Top 10” or “Top 25” sites, so I turned to Alexa. Among other information, Alexa offers “Top 500 sites” lists for the following categories:
- Adult
- Arts
- Business
- Computers
- Games
- Health
- Home
- Kids and Teens
- News
- Recreation
- Reference
- Regional
- Science
- Shopping
- Society
- Sports
Unfortunately, without a paid account, one may only access first 50 sites of the Top 500 list for each category. Although I originally wanted our sample to be much larger, it was not to be… But the limitation gave me an idea. Since one may access list of the top 50 sites in each category, why not scan all the 50 sites for each of the 16 categories? Of course, with such a small sample size, the results could not be considered anywhere near representative, but they might be interesting nonetheless.
With the plan set, I put it into action on 25 December 2019. I used the same methodology as in the case of the banking portals - I conducted an Nmap scan using the “ssl-enum-ciphers” and “sslv2” scripts which enabled me to determine which SSL/TLS protocols were supported by the servers (except for TLSv1.3) as well as the weakest supported ciphersuite (once again, see the Diary for more details). In the end, the scans managed to gather information about 790 of the 800 domains (the 10 errors were mostly due to second level domains not having an A record set).
In contrast to the case of internet banking portals, none of the servers in the “Top 50” lists supported SSLv2 (which 0.8% of tested internet banking servers did) or supported a ciphersuite marked with an F (as was the case with 0.29% of e-banking servers). So in this regard (and actually several others), even the 50 most visited adult sites were actually better configured than some of the internet banking portals.
Apart from that, the results were a bit of a mixed bag, as you may see from the following table of results. I added the numbers for the internet banking sites as well, so you may judge the resulting grades for yourselves.
| Category | A | C | D | F |
| Business | 78.72 | 17.02 | 4.26 | 0.00 |
| Health | 75.00 | 25.00 | 0.00 | 0.00 |
| Reference | 75.00 | 22.92 | 2.08 | 0.00 |
| Science | 74.42 | 23.26 | 2.33 | 0.00 |
| Kids and Teens | 73.91 | 21.74 | 4.35 | 0.00 |
| Regional | 72.34 | 23.40 | 4.26 | 0.00 |
| Shopping | 72.34 | 25.53 | 2.13 | 0.00 |
| Society | 71.74 | 28.26 | 0.00 | 0.00 |
| Internet Banking | 70.47 | 24.29 | 4.95 | 0.29 |
| Home | 67.35 | 32.65 | 0.00 | 0.00 |
| News | 67.35 | 32.65 | 0.00 | 0.00 |
| Recreation | 66.67 | 31.11 | 2.22 | 0.00 |
| Adult | 63.27 | 34.69 | 2.04 | 0.00 |
| Games | 63.04 | 32.61 | 4.35 | 0.00 |
| Arts | 61.70 | 34.04 | 4.26 | 0.00 |
| Sports | 61.70 | 31.91 | 6.38 | 0.00 |
| Computers | 52.00 | 46.00 | 2.00 | 0.00 |
Besides the marks for different categories, protocol support was interesting as well. As was already mentioned, none of the tested sites supported SSLv2, however one further point that should be mentioned is that on average, more internet banking sites still supported SSLv3 than servers in any of the Alexa categories and less of banking sites supported TLSv1.2 than even the sites in the Adult category. Since the sample sizes varied widely between the analyses, this should be considered more of an interesting observation than anything else, but I think it does merit at least this small remark.
| Category | SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 |
| Computers | 0.00 | 74.00 | 82.00 | 100.00 |
| Adult | 2.00 | 68.00 | 80.00 | 98.00 |
| News | 2.00 | 68.00 | 76.00 | 98.00 |
| Home | 0.00 | 52.00 | 64.00 | 98.00 |
| Sports | 0.00 | 68.75 | 85.42 | 97.92 |
| Internet Banking | 3.49 | 47.64 | 57.75 | 96.65 |
| Reference | 0.00 | 52.00 | 70.00 | 96.00 |
| Arts | 2.04 | 63.27 | 71.43 | 95.92 |
| Society | 2.08 | 47.92 | 58.33 | 95.83 |
| Health | 0.00 | 46.94 | 67.35 | 93.88 |
| Shopping | 0.00 | 36.73 | 63.27 | 93.88 |
| Business | 2.04 | 36.73 | 53.06 | 93.88 |
| Kids and Teens | 0.00 | 56.00 | 78.00 | 92.00 |
| Regional | 0.00 | 56.00 | 78.00 | 92.00 |
| Recreation | 2.04 | 42.86 | 63.27 | 91.84 |
| Games | 2.00 | 66.00 | 82.00 | 90.00 |
| Science | 0.00 | 44.90 | 67.35 | 87.76 |
When it came to vulnerabilities, several servers in Society and Adult categories were found to be vulnerable to POODLE, couple in the Science category still supported the use of RC4 and quite a large number of sites in all categories supported ciphersuites vulnerable to SWEET32.
| Category | SWEET32 | RC4 | POODLE |
| Society | 27.08 | 0.00 | 2.08 |
| Adult | 36.00 | 0.00 | 2.00 |
| Internet Banking | 30.55 | 0.51 | 0.07 |
| Science | 20.41 | 2.04 | 0.00 |
| Computers | 48.00 | 0.00 | 0.00 |
| Sports | 37.50 | 0.00 | 0.00 |
| Arts | 36.73 | 0.00 | 0.00 |
| Games | 34.00 | 0.00 | 0.00 |
| News | 34.00 | 0.00 | 0.00 |
| Home | 32.00 | 0.00 | 0.00 |
| Recreation | 30.61 | 0.00 | 0.00 |
| Shopping | 26.53 | 0.00 | 0.00 |
| Regional | 26.00 | 0.00 | 0.00 |
| Health | 24.49 | 0.00 | 0.00 |
| Kids and Teens | 24.00 | 0.00 | 0.00 |
| Reference | 24.00 | 0.00 | 0.00 |
| Business | 20.41 | 0.00 | 0.00 |
The last thing, which should be mentioned is that on average only 23.54% of the sites from the Alexa’s categories were configured in accordance with the current security best practices (i.e. they only supported TLSv1.2 and possibly TLSv1.3). Percentages for all of the categories tested may be found in the following chart.
