Most visited adult sites actually beat some e-banking portals when it comes to encryption

01-01-2020 / In categories News, 2019

Alexa, Bank, SSL, TLS

After I finished the analysis of SSL/TLS configuration of almost 1400 internet banking portals (see the relevant ISC Diary, a question came to me. Internet banking portals should be among the best secured systems put online, yet not all of them made the mark when it came to encryption used to secure HTTP traffic. Would the situation be even worse for sites which are commonly assumed to lack proper security measures?

Websites with adult content seemed to be the ideal starting place to determine this, so I tried to look for a list of the most popular ones. Contrary to my expectations, I wasn’t able to find any current list with more than “Top 10” or “Top 25” sites, so I turned to Alexa. Among other information, Alexa offers “Top 500 sites” lists for the following categories:

Unfortunately, without a paid account, one may only access first 50 sites of the Top 500 list for each category. Although I originally wanted our sample to be much larger, it was not to be… But the limitation gave me an idea. Since one may access list of the top 50 sites in each category, why not scan all the 50 sites for each of the 16 categories? Of course, with such a small sample size, the results could not be considered anywhere near representative, but they might be interesting nonetheless.

With the plan set, I put it into action on 25 December 2019. I used the same methodology as in the case of the banking portals - I conducted an Nmap scan using the “ssl-enum-ciphers” and “sslv2” scripts which enabled me to determine which SSL/TLS protocols were supported by the servers (except for TLSv1.3) as well as the weakest supported ciphersuite (once again, see the Diary for more details). In the end, the scans managed to gather information about 790 of the 800 domains (the 10 errors were mostly due to second level domains not having an A record set).

In contrast to the case of internet banking portals, none of the servers in the “Top 50” lists supported SSLv2 (which 0.8% of tested internet banking servers did) or supported a ciphersuite marked with an F (as was the case with 0.29% of e-banking servers). So in this regard (and actually several others), even the 50 most visited adult sites were actually better configured than some of the internet banking portals.

Apart from that, the results were a bit of a mixed bag, as you may see from the following table of results. I added the numbers for the internet banking sites as well, so you may judge the resulting grades for yourselves.

Category A C D F
Business 78.72 17.02 4.26 0.00
Health 75.00 25.00 0.00 0.00
Reference 75.00 22.92 2.08 0.00
Science 74.42 23.26 2.33 0.00
Kids and Teens 73.91 21.74 4.35 0.00
Regional 72.34 23.40 4.26 0.00
Shopping 72.34 25.53 2.13 0.00
Society 71.74 28.26 0.00 0.00
Internet Banking 70.47 24.29 4.95 0.29
Home 67.35 32.65 0.00 0.00
News 67.35 32.65 0.00 0.00
Recreation 66.67 31.11 2.22 0.00
Adult 63.27 34.69 2.04 0.00
Games 63.04 32.61 4.35 0.00
Arts 61.70 34.04 4.26 0.00
Sports 61.70 31.91 6.38 0.00
Computers 52.00 46.00 2.00 0.00

Besides the marks for different categories, protocol support was interesting as well. As was already mentioned, none of the tested sites supported SSLv2, however one further point that should be mentioned is that on average, more internet banking sites still supported SSLv3 than servers in any of the Alexa categories and less of banking sites supported TLSv1.2 than even the sites in the Adult category. Since the sample sizes varied widely between the analyses, this should be considered more of an interesting observation than anything else, but I think it does merit at least this small remark.

Category SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Computers 0.00 74.00 82.00 100.00
Adult 2.00 68.00 80.00 98.00
News 2.00 68.00 76.00 98.00
Home 0.00 52.00 64.00 98.00
Sports 0.00 68.75 85.42 97.92
Internet Banking 3.49 47.64 57.75 96.65
Reference 0.00 52.00 70.00 96.00
Arts 2.04 63.27 71.43 95.92
Society 2.08 47.92 58.33 95.83
Health 0.00 46.94 67.35 93.88
Shopping 0.00 36.73 63.27 93.88
Business 2.04 36.73 53.06 93.88
Kids and Teens 0.00 56.00 78.00 92.00
Regional 0.00 56.00 78.00 92.00
Recreation 2.04 42.86 63.27 91.84
Games 2.00 66.00 82.00 90.00
Science 0.00 44.90 67.35 87.76

When it came to vulnerabilities, several servers in Society and Adult categories were found to be vulnerable to POODLE, couple in the Science category still supported the use of RC4 and quite a large number of sites in all categories supported ciphersuites vulnerable to SWEET32.

Category SWEET32 RC4 POODLE
Society 27.08 0.00 2.08
Adult 36.00 0.00 2.00
Internet Banking 30.55 0.51 0.07
Science 20.41 2.04 0.00
Computers 48.00 0.00 0.00
Sports 37.50 0.00 0.00
Arts 36.73 0.00 0.00
Games 34.00 0.00 0.00
News 34.00 0.00 0.00
Home 32.00 0.00 0.00
Recreation 30.61 0.00 0.00
Shopping 26.53 0.00 0.00
Regional 26.00 0.00 0.00
Health 24.49 0.00 0.00
Kids and Teens 24.00 0.00 0.00
Reference 24.00 0.00 0.00
Business 20.41 0.00 0.00

The last thing, which should be mentioned is that on average only 23.54% of the sites from the Alexa’s categories were configured in accordance with the current security best practices (i.e. they only supported TLSv1.2 and possibly TLSv1.3). Percentages for all of the categories tested may be found in the following chart.

Percentage of sites configured in accordance with current security best practices