Web Security

Security blind spots: It turns out they’re everywhere on the web.

Phillip Nones Business, Security , , , , , , , , , , , ,

sbsIt seems like there’s a story every other day about security breaches affecting e-commerce sites and other websites where consumers congregate.

And now we have quantification of the challenge. Ghostery, a provider of apps that enable consumers to identify and block company tracking on website pages, has examined instances of non-secure digital technologies active on the websites of 50 leading brands in key industry segments like news, financial services, airlines and retail.

More specifically, Ghostery was looking for security “blind spots,” which it defines as non-secure tags that are present without the permission of the host company.

What it found was that 48 of the 50 websites it studied had security blind spots.

And often  it’s not just one or two instances on a website. The analysis found that retail web pages host a high concentration of non-secure technologies:  438 of them on the Top Ten retail sites it analyzed (companies like Costco, Kohls, Overstock.com, Target and Walmart).

Financial services sites are also hit hard, with 382 blind spots identified, while airline websites had 223 instances. And they’re often present on the pages described as “secure” on these websites.

Scott Meyer, who is Ghostery’s chief executive officer, had this to say about the situation:

“Companies have very little understanding of what’s happening on their websites. The problem is not with any of the company’s marketing stacks, it’s with their own tech stacks.  What these companies have now is marketing clouds, not websites, and they’ve gotten complicated and hard to manage.”

Scott Meyer, Ghostery CEO
Scott Meyer, CEO of Ghostery (formerly The Better Advertising Project and Evidon).

There was one leading brand web site that came off looking squeaky clean compared to the others: Amazon.  “Amazon is incredibly sophisticated; others are not,” Meyer noted.

The implications of avoiding addressing these security blind spots could be seriously negative. Bot networks often use non-secure technologies to gain entry to websites.  Google is indexing company websites higher in search engine results based on their security ratings.

It makes it all the more important for companies to audit their websites and set up system alerts to identify the non-secure tags.

For the leading brands in particular, they just need to suck it up and do it for the benefit of their millions of customers.

Firefox Turns Five: All grown-up now … and with a few grown-up challenges.

Phillip Nones Uncategorized , , , , , , , , , , , , , , , , , , ,

Firefox logoMozilla’s Firefox web browser marked a milestone this past week, celebrating its fifth birthday.

No question about it, the open-source browser has been a big success, with growth that has been impressive by any measure. As of the end of July, Firefox had been downloaded more than 1 billion times.

Indeed, a mainstream site like this one here (WordPress) reports that Firefox now represents a larger share of activity than Internet Explorer — 46% versus 39% of traffic.

But now that Firefox has come of age, it’s facing some of the same “grown up” challenges that other browsers face.

In fact, application security vendor Cenzic has just released its security trends report covering the first half of 2009. Guess what? Firefox led the field of web browers in terms of reported total vulnerabilities. Here are the stats from Cenzic:

 Firefox: 44% of reported browser vulnerabilities
 Apple Safari: 35%
 Internet Explorer: 15%
 Opera: 6%

Compared to Cenzic’s report covering the second half of 2008, Firefox’s figure is up from 39%, while IE’s number is down sharply from 43%.

Welcome to reality. As Firefox has grown in importance, it’s gained more exposure to vulnerabilities. A significant portion of those vulnerabilities have come via plug-ins.

Mozilla is trying to take steps to counteract this, including launching a plug-in checker service to ensure that users are running up-to-date versions. It also offers a “bug bounty” to anyone who discovers security holes in Firebox.

And the good news is that even though Firefox had the highest number of vulnerabilities, even Cenzic admits that this doesn’t necesarily mean Firefox users are more vulnerable to security threats. Plus, those vulnerabilities tend to be patched more quickly than those found in other browsers.

So on this fifth anniversary milestone, Firefox can be justly praised as a major success story in the web browser world.