Read the full story
Whilst HTTPS is now widely adopted by most web applications, it would be wrong to assume that HTTPS alone indicates a sufficient level of security.
In a three-year audit by the Optus Macquarie Cyber Security Hub, researchers analysed 1,862 Australian federal and state/territory government websites. Whilst 84% of the surveyed websites had HTTPS implemented, 3.9% of federal government sites and 7.4% of state/territory sites were still deemed to be insecure due to weaknesses in cryptographic mechanisms (e.g., use of weak or sub-optimal ciphers), support of vulnerable protocols (e.g., SSL3), and “untrusted” certificates not allowing for correct server-identity validation.
All these can potentially place client information at risk of being intercepted and obtained by a malicious agent despite the use of HTTPS.
This serves as an important reminder, that just because you have HTTPS implemented on your web applications, you still need to take measures to ensure you’re using appropriate encryption that is securely configured. Deployed cryptographic methods should be regularly reviewed.
For example, by embedding an old version of JQueryUI library, almost 10% of Australian government websites are exposed to a high-severity Cross-Site Scripting (XSS) vulnerability, which could be exploited by attackers to inject malicious code in the webpage.¹
One way to help ensure your web applications don’t contain insecure source-code obtained from third-party libraries is through conducting periodic Secure Code Reviews, particularly when upgrading or releasing any new functionality.