Privacy Flag

Threat Observatory / Early Warning System

Please note that the following charts are based on simulated data. The real crowdsourced data will be displayed in the next version.

Categories

The PrivacyFlag Observatory is organized in three distinct categories, Confidentiality, Security and Privacy of Data. All of them are related to the Privacy of your Data in direct or indirect way. Find why:

Confidentiality

Data encryption is the basic mechanism to protect the confidentiality of your information to remain private. It is absolutely necessary to encrypt sensitive data as passwords, credit card number etc but it is even better to encrypt everything. Modern web sites provide various encryption mechanisms. In PrivacyFlag we check whether a web site respects users privacy by encrypting his/her data. Furthermore, PrivacyFlag also analyzes the robustness and strength of the implemented encryption algorithms. Bear in mind that obsolete, weak or poorly implemented encryption algorithms offer little or no protection at all against skilled adversaries.

Percentage of websites that provide data encryption (SSL/TLS).

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are standard security technologies for establishing an encrypted link between a server and a client—typically a web server (website) and a browser. The strength of the protection mechanism is determined by the authentication, encryption, and hashing algorithms, collectively known as a cipher suite, chosen for the transmission of sensitive information over the TLS/SSL channel. There are some cipher suites known to be broken or weak. SSL-enabled servers should be configured to disable these insecure cipher suites.

Percentage of websites that provide HSTS.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that allows web servers to declare that web browsers should only interact with it using secure HTTPS connections and never via the insecure HTTP protocol. Additionally, the lifetime and public key pins can be defined by the server that the client browser will cache. From now on the browser will refuse to connect via HTTP or via HTTPS in case none of the public key pins is part of the certificate chain. This hinders Men-in-the-middle attacks.

Percentage of websites that use a trustworthy certification chain.

In order for an SSL certificate to be trusted, it must have been issued by a certificate authority (CA) that is trusted by the connecting client (web browser). If the certificate was not issued by a trusted known CA, the client will then check to see if the certificate of the issuing CA was issued by a known trusted CA, and so on until either a trusted CA can or cannot be found. The list of SSL certificates, from the root certificate to the website certificate, represents the SSL certificate chain.

Percentage of websites that use Certificate pinning.

HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites to resist impersonation by attackers using miss-issued or fraudulent certificates. For example, attackers might compromise a certificate authority (i.e., the entity that issues soft authentication certificates for websites) and then miss-issue certificates for any domain. To combat this risk, the webserver can provide a list of “pinned” public key hashes; on subsequent connections web browsers expect that server to use one or more of those public keys in its certificate chain.