Earlier this year, we released the State of the Web 2015 vulnerability report, which revealed more than 1 in 3 of the top Web domains are risky; and 1 in 4 of the most trusted sites (education and government) are vulnerable. We wanted to expand on this concept for the top 50 U.K. websites and use our technology to instrument how much code is being fetched and executed in a browser by the simple act of visiting popular websites. But why stop at just the code? Where did the code come from? How much of it is there and what systems dleiver this content? The findings were quite a surprise.
It’s been a while since I really looked at the top 50 U.K. websites in any detail, so there were a few surprises when I revisited the list. Of no surprise, at number 17 was a sinkholed malware domain that would indicate there are clearly a large number of infected computers still to clean up in the U.K. News sites and social media dominated the top 20, with Google and Facebook taking over the top five spots. Banking and retail were also well represented throughout the top 50 list. There were even two adult content sites in the top 50 and one of my favorite house/property search sites made it at number 20.
Why do browsers need scripting?
The tests I ran were designed to determine the quantity and amount of code being used in the top 50 U.K. websites, and the versions of systems behind the scenes delivering the content. There were three metrics that I was looking to track:-
- The number of scripts executed on the page (including scripts executed by “foreign domains”)
- Amount of code downloaded to your browser when your browser fetched website content
- The web server headers & version reported when a user fetches content from the website
Knowing both these data points should give insights into which sites are using lots of scripting, and those that don’t. The more scripts from more sources should equate to a higher risk.
- Top 50 website by scripts executed
Across the top 50 sites, a number of important findings were made:
- On average, when visiting a top 50 U.K. website, your browser will execute 19 scripts
- The top UK website executed 125 unique scripts when requested
- Only 8 percent of the top 50 sites executed more than 50 scripts
- 72 percent of the top 50 sites executed less than 20 scripts
- 2 of the top 3 sites on the list are news websites
- Only one of the top 50 sites executed one script!
- Top 50 websites by amount of code
This part of the report probably surprised me the most - to see and measure just how much “stuff” my browser was downloading when I went to one of the top 50 U.K. websites.
Across the top sites, a number of important findings were made:
- On average, when visiting a top 50 U.K. website, your browser will download a respectable 1.2MB of code
- 82 percent of the top 50 sites downloaded less than 2MB of code
- 62 percent of the top 50 sites downloaded less than 1MB of code
- The top U.K. website was a media site downloading 4.9MB of code
- Again, media sites held the top two places for amount of downloaded code followed by social media to make up the top 5 U.K. websites
- One site outside the top 50 downloaded 6.1MB of code
- Vulnerable web-servers in the U.K. top 50
The final part of this report was to look at the backend code on the top 50 U.K. websites to see which websites are running what versions of web-server code. I then cross-referenced this information with the MITRE CVE database to look at known vulnerabilities for the versions reported. Key findings were:
- 15 of the top 50 sites (i.e. 30 percent) were running vulnerable versions of web-server code at time of testing
- Microsoft IIS version 7.5 was the most prominent vulnerable version reported with known software vulnerabilities going back more than five years (CVE)
What can we learn from this quick snapshot of the most popular 50 websites in the U.K.? There are many legitimate reasons why developers use scripts to enhance the user experience of a website today, but similarly attackers can use scripting capabilities for iframe redirects and malvertising links to compromise browsers.
Security professional have been using browser plugins like NoScript for years, however it makes the Web surfing experience much harder and for many non-technical users, it’s not really an option to deploy, meaning the vast majority of users cannot make an educated choice on script permissions.
The main takeaways show that going to any popular website is now associated with some risk, as we see play out in numerous media stories every week. The recent Pagefair hack should be a warning to everyone that trusted websites take content from many entities of varying security postures.
Knowing that visiting a UK top 10 site means that I’m allowing my browser to execute more than 25 scripts (according to our data that’s 25 scripts that may or may not be well written and/or secure), should be a concern. If you knew an employee going to a top 5 U.K. website exposes your browser to more than 100 scripts, would it make you think twice?
Isolation gives users the ability to execute scripts outside of the end-user browser without disrupting the end-user experience and ensuring the security of your browser.
Test Date – Thursday 15th October
Browser used – Chrome version 46.0.2490.71 (64-bit) on Yosemite 10.10.5
Alexa Top 50 - http://www.alexa.com/topsites/countries/GB