Privacy Flag

Threat Observatory / Early Warning System

The PrivacyFlag Observatory is focused to provide a holistic overview of the privacy landscape in the modern Internet. The basic idea is to inform users, developers, stakeholders and researchers on the level of adoption of best practices as well as how prevalent are insecure, obsolete and deprecated technologies. Furthermore, interested parties can observe the rate of commitment in privacy related technologies for the most important web sites, since PrivacyFlag is based on crowdsourcing.

PrivacyFlag Observatory is organized in three distinct categories, Confidentiality, Security and Privacy of Data. All of them are related to the Privacy of your Data in direct or indirect way. Find why:

Confidentiality

Confidentiality means to ensure that unauthorized access to information is not permitted and that accidental disclosure of sensitive information is not possible. Common confidentiality controls are user IDs, passwords and encryption. Data encryption is the basic mechanism to protect the confidentiality of your information to remain private. It is absolutely necessary to encrypt sensitive data as passwords, credit card number etc but it is even better to encrypt everything. Modern web sites provide various encryption mechanisms. In PrivacyFlag we check whether a website respects users privacy by encrypting his/her data. The following information helps you to made aware of common confidentiality mechanisms next time you visit a website!

Percentage of websites that provide data encryption (SSL/TLS).

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are standard security technologies for establishing an encrypted link between a server and a client—typically a web server (website) and a browser. You will notice that the "http" in the address line is replaced with "https" and you should see a small padlock in the status bar at the bottom of the browser window. [for more information read How Encryption Works]

Percentage of websites that provide HSTS.

“https” is the standard way of securing website traffic, and providing confidence to users that are on a website. However, the default for most of the web is still “http”: if you type in a URL without specifying “https” (e.g. www.google.com) then the browser will default this to “http”. Being on “http” channel will make you vulnerable to loss of information by an attacker. For example, in a public wifi and hotel wifi, a hacker can eavesdrop on all of the connections going over this insecure, wireless network. [for more information read What ss HSTS and how do I implement it?]

Percentage of websites that use a trustworthy certification chain.

Digital certificates are electronic credentials that are used to assert the online identities of individuals, computers, and other entities on a network. Digital certificates function similarly to identification cards such as passports and driver’s licenses. They are issued by certification authorities (CAs) that is trusted by the connecting client (web browser). The root certificate is generated by a CA and is embedded into browsers. The list of SSL certificates, from the root certificate to the website certificate, represents the SSL certificate chain. [for more information read Certificates for dummies]

Percentage of websites that use Certificate pinning.

HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites to resist impersonation by attackers using miss-issued or fraudulent certificates. For example, attackers might compromise a certificate authority (i.e., the entity that issues soft authentication certificates for websites) and then miss-issue certificates for any domain. To combat this risk, the webserver can provide a list of “pinned” public key hashes; on subsequent connections web browsers expect that server to use one or more of those public keys in its certificate chain.