On the 25th of May, a set of new rules were launched across Europe designed (in part) to allow individuals more control over the personal data they shared online, and to make companies take more responsibility for the protection of that data, and face large fines if they were found in breach of the regulations.
At around the same time (give or take a month or so) Google made a decision to prominently highlight websites that did not have a security certificate installed when they were visited by someone using their Chrome browser. In fact, visiting a page on a website that has a contact form or similar that does not have a security certificate installed will occasionally bring up a warning page claiming the site is dangerous to visit, and requiring your specific permission to continue to the page, even if the site itself is a completely benign site with just a couple of pages. This move comes years after Google started downgrading sites without security certificates in their search results, something that, as with all updates Google make, was only published in the deep, dark places of their forums where only SEO and marketing professionals venture.
So, given all of these facts, you would think that for any company looking to have an effective web presence would, by now, have ensured that their company website would have a security certificate installed and configured correctly.
Oh, how wrong you would be.
You may have seen a report recently about how roughly 20% of the top 500 websites in the world still have not secured their site (the blog about this is here). Now I’m not going to look at these – the majority are from America and China, and to be honest, are such huge companies that whilst they have a responsibility to ensure their websites are as secure as possible, almost certainly fall into the category of not being overly concerned that they do not run https:// on their websites.
No, what I’m going to concentrate on is a little closer to home.
It is a fact that a majority of people get their news nowadays online rather than by printed means. Whether that is from Reddit (no, just no), social media such as Twitter and Facebook, or other news aggregator websites. And you wonder why there is so much fake news around…
Anyhow, another main source of news would be something like the BBC’s website – ie. the main website of a major media corporation rather than a story posted by some bloke who read a text message from his mate whose wife had overheard their neighbour talking to their dog. So, as you would expect, the BBC’s website is now secure. Interestingly enough, it did take them until last month to make it secure, so they were a bit late to the party, but now, all seems fine.
So what about something a little more… local. Here in Dereham, we have a choice of a few local newspapers; the two main ones are the Eastern Daily Press and the Dereham Times, both run by a media company called Archant. Archant own a lot of local newspapers all over the UK, and all of them have associated websites. And I have not been able to find a single one running under https://.
Now let me clarify something here – just because a website isn’t https:// does not mean that it isn’t safe for you to use (however much Google tries to tell you). If the website does not gather any personal information or if it is a small website, having an SSL becomes a matter of protecting the company rather than the user.
Archant’s websites are the opposite.
Take the website for the Eastern Daily Press: http://www.edp24.co.uk – don’t bother trying to use https:// – there isn’t even a redirect to the main site from it. Immediately, you can see it isn’t secure (web browsers show this to the left of the address bar). However, let’s give them the benefit of the doubt. They aren’t asking you to provide any personal information to access their content, so apart from the risk of their site being hacked, they aren’t holding any of your personal information for someone to get hold of.
Look in the top left hand corner. There’s a “log-in” and a “register” button. Which are not secure. I know, let’s try registering and then logging in – surely that is secure!
… Wait a minute. I’ve just put in my personal information INCLUDING my home address (as it is required for registration), and the website is STILL not secure after logging-in?
What this means is that your personal information (including passwords) is stored on a unsecured website. Which in this day and age means it’s ripe for the taking and abusing with very little effort should a hacker turn his attention to any of Archant’s local news websites.
I reached out to Archant over a week ago and asked them why they hadn’t secured their websites, and if they could provide a reason past “we don’t care” – I explained that I understood they had a lot of advertising on their sites and that they used a 3rd party comment system, all of which would lead to complications with securing a website, so I wondered if it was simply too much work or too costly for them to do this. I have yet to receive a response – if I do, I shall gladly edit this blog.
I wish Archant were a blip in an otherwise robust system, but sadly they are far from the only major company who have yet to secure their website.
And consider this – rather than abide by GDPR rules, a lot of news websites in America and outside of the EU simply made the decision to block European users from their websites rather than comply with the rules. Obviously they may still be secure under https://, but it further demonstrates that, despite the good intentions of the GDPR lawmakers and Google, there are a lot of companies who have decided that they either cannot be bothered to secure their websites and would rather risk fines, or have websites that are too complicated to secure (this excuse is nonsense by the way – yes it may be difficult and costly, but nothing is too complicated to make secure under SSL).
Or maybe, these websites have something to hide when it comes to the use of your personal data. I mean, how can you trust a tickbox that says a company does not share your data and abides by GDPR rules when they can’t even be bothered to secure their own website?