Top U.S. defence contractors, including the likes of Lockheed Martin, Raytheon and Boeing, do not have standard HTTPS web encryption enabled on their official websites by default.
Websites lacking HTTPS security certificates may not be able to prevent hackers from stealing sensitive information uploaded to such sites.
If you ever happen to ask a cyber security expert on the best ways to ensure your privacy while browsing the web, there’s a major chance he or she would advise you to check for security certificates of websites before visiting them or adding your personal information on such sites.
For those who aren’t aware, including major U.S. defence contractors Lockheed Martin, Boeing, Raytheon, and Northrop Grumman, HTTPS is the latest website security certificate which ensures the security of confidential corporate and customer information.
The over-a-decade-old HTTP certificate, which uses an outdated encryption algorithm called SHA-1, has been known to be insecure since 2005. Experts claim that hackers can now use various techniques to easily manipulate the outdated SHA-1 in HTTP certificates that are used to sign many website digital certificates.
“Without encryption, governments can more easily survey sensitive information, creating a chilling effect, and deterring participation, or in extreme cases they can isolate or discipline citizens. Accounts may also be hijacked, pages may be censored, other security flaws could expose sensitive user information and communications,” said Wikipedia when it implemented HTTPS to encrypt all traffic on its websites in 2015.
In an eye-opening piece, Motherboard has now revealed that major defence contractors like Lockheed Martin, Boeing, Raytheon, and Northrop Grumman do not have standard HTTPS web encryption enabled on their official websites by default. The site adds that these four defence contractors received a combined $95 bn from the U.S. government last year.
The revelation means there’s a huge chance that hackers, including nation-backed ones, can exploit the security vulnerabilities in such sites to either manipulate sensitive information or can steal sensitive information without putting in much effort.
“For companies bidding on major cybersecurity contracts, lack of HTTPS-by-default in 2017 is a bad look. You are better protected from man in the middle attacks when visiting Pornhub than Raytheon or Lockheed,” said John Scott-Railton, a senior researcher at the Citizen La to Motherboard.
Even though governments and security agencies across the world have implemented HTTPS on their sites, a lot of work needs to be done. In May, an analysis of over 33 million publicly visible IPv4 websites by leading cybersecurity firm Venafi revealed that over 1 in 5 certificates for unique IP addresses were still using the outdated SHA-1 as the signature hash algorithm.
To ensure the privacy of billions of web browsers across the globe, Google’s Chrome web browser is now offering alerts to warn users when they visit sites lacking HTTPS certificates. When users visit secure websites, they can now view the green padlock on the address line for HTTPS transactions, which confirms that the site is secure.
At the same time, Google Chrome is now marking non-HTTP sites a ‘Not Secure’ as soon as users start typing on such sites. Google is aiming to eventually mark all non-HTTPS pages as ‘Not Secure’ in red which will be more noticeable by visitors compared to the small ‘i’ logo which appears on the address line at present.