{"id":2299,"date":"2018-02-28T15:49:20","date_gmt":"2018-02-28T23:49:20","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2299"},"modified":"2018-02-28T15:49:20","modified_gmt":"2018-02-28T23:49:20","slug":"analysis-alexa-top-1m-sites-2","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2018\/02\/28\/analysis-alexa-top-1m-sites-2\/","title":{"rendered":"Analysis of the Alexa Top 1M Sites"},"content":{"rendered":"

Prior to the release of the <\/span>Mozilla Observatory<\/span><\/a> in June of 2016, I ran a scan of the Alexa Top 1M websites. Despite being available for years, <\/span>the usage rates<\/span><\/a> of modern defensive security technologies was frustratingly low. A lack of tooling combined with poor and scattered documentation had led to minimal awareness around countermeasures such as <\/span>Content Security Policy<\/span><\/a> (CSP), <\/span>HTTP Strict Transport Security<\/span><\/a> (HSTS), and <\/span>Subresource Integrity<\/span><\/a> (SRI).<\/span><\/p>\n

Since then, a number of additional assessments have done, including in <\/span>October 2016<\/span><\/a> and <\/span>June 2017<\/span><\/a>. Both of those surveys demonstrated clear and continual improvement in the state of internet security. But now that tools like the <\/span>Mozilla Observatory<\/span><\/a>, <\/span>securityheaders.io<\/span><\/a> and <\/span>Hardenize<\/span><\/a> have become more commonplace, has the excitement for improvement been tempered?<\/span><\/p>\n

February 2018 Scan<\/span><\/h3>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Technology<\/b><\/td>\nJune 2017<\/b><\/td>\nFebruary 2018<\/b><\/td>\n% Change
\n(June 2017)<\/b><\/td>\n		% Change
\n(All\u2011Time1<\/sup><\/b><\/a>)<\/b><\/b><\/td>\n<\/tr>\n
Content Security Policy (CSP)<\/span><\/td>\n.018%2<\/sup><\/a>
\n.043%<\/span>3<\/sup><\/a><\/td>\n		.022%2<\/sup><\/a>
\n.112%<\/span>3<\/sup><\/a><\/td>\n		+22%
\n+161%<\/span><\/td>\n		+340%
\n+833%<\/span><\/td>\n<\/tr>\n
Cookies (Secure\/HttpOnly)<\/span>4<\/sup><\/a><\/td>\n6.50%<\/span><\/td>\n8.97%<\/span><\/td>\n+38%<\/span><\/td>\n+139%<\/span><\/td>\n<\/tr>\n
Cross-origin Resource Sharing (CORS)<\/span>5<\/sup><\/a><\/td>\n96.55%<\/span><\/td>\n96.89%<\/span><\/td>\n+.35%<\/span><\/td>\n+3.3%<\/span><\/td>\n<\/tr>\n
HTTPS<\/span><\/td>\n45.80%<\/span><\/td>\n54.31%<\/span><\/td>\n+19%<\/span><\/td>\n+83%<\/span><\/td>\n<\/tr>\n
HTTP \u2192 HTTPS Redirection<\/span><\/td>\n14.38%6<\/sup><\/a>
\n22.88%<\/span>7<\/sup><\/a><\/td>\n		21.46%6<\/sup><\/a>
\n32.82%<\/span>7<\/sup><\/a><\/td>\n		+49%
\n+43%<\/span><\/td>\n		+324%
\n+268%<\/span><\/td>\n<\/tr>\n
Public Key Pinning (HPKP)<\/span><\/td>\n0.71%<\/span><\/td>\n1.07%<\/span><\/td>\n+51%<\/span><\/td>\n+148%<\/span><\/td>\n<\/tr>\n
\u00a0\u00a0\u00a0\u2014 HPKP Preloaded<\/span>8<\/sup><\/a><\/td>\n0.43%<\/span><\/td>\n0.70%<\/span><\/td>\n+63%<\/span><\/td>\n+71%<\/span><\/td>\n<\/tr>\n
Strict Transport Security (HSTS)<\/span>9<\/sup><\/a><\/td>\n4.37%<\/span><\/td>\n6.03%<\/span><\/td>\n+38%<\/span><\/td>\n+245%<\/span><\/td>\n<\/tr>\n
\u00a0\u00a0\u00a0\u2014 HSTS Preloaded<\/span>8<\/sup><\/a><\/td>\n.337%<\/span><\/td>\n.631%<\/span><\/td>\n+87%<\/span><\/td>\n+299%<\/span><\/td>\n<\/tr>\n
Subresource Integrity (SRI)<\/span><\/td>\n0.113%<\/span>10<\/sup><\/a><\/td>\n0.182%<\/span>11<\/sup><\/a><\/td>\n+61%<\/span><\/td>\n+1113%<\/span><\/td>\n<\/tr>\n
X-Content-Type-Options (XCTO)<\/span><\/td>\n9.41%<\/span><\/td>\n11.72%<\/span><\/td>\n+21%<\/span><\/td>\n+89%<\/span><\/td>\n<\/tr>\n
X-Frame-Options (XFO)<\/span>12<\/sup><\/a><\/td>\n10.98%<\/span><\/td>\n12.55%<\/span><\/td>\n+14%<\/span><\/td>\n+84%<\/span><\/td>\n<\/tr>\n
X-XSS-Protection (XXSSP)<\/span>13<\/sup><\/a><\/td>\n8.12%<\/span><\/td>\n10.36%<\/span><\/td>\n+28%<\/span><\/td>\n+106%<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Improvement across the web appears to be continuing at a steady rate. Although a 19% increase in the number of sites that support HTTPS might seem small, the absolute numbers are quite large \u2014 it represents over <\/span>83,000<\/b> websites, a slight slowdown from the previous survey’s <\/span>119,000<\/b> jump, but still a great sign of progress in encrypting the web’s long tail.<\/span><\/p>\n

Not only that, but an additional <\/span>97,000<\/b> of the top websites have chosen to be HTTPS by default, with another <\/span>16,000<\/b> of them forbidding any HTTP access at all through the use of HTTP Strict Transport Security (HSTS). Also notable is the jump in websites that have chosen to opt into being preloaded in major web browsers, via a process known as <\/span>HSTS preloading<\/span><\/a>. Until browsers switch to HTTPS by default, HSTS preloading is the best method for solving the trust-on-first-use problem in HSTS.<\/span><\/p>\n

Content Security Policy (CSP) \u2014 one of the most important recent advances due to its ability to prevent <\/span>cross-site scripting (XSS) attacks<\/span><\/a> \u2014 continues to see strong growth. Growth is faster in policies that ignore inline stylesheets (CSS), perhaps reflecting the difficulties that many sites have with separating their presentation from their content. Nevertheless, improvements brought about by specification additions such as <\/span>'strict-dynamic'<\/tt><\/span><\/a> and policy generators such as the <\/span>Mozilla Laboratory<\/span><\/a> continue to push forward CSP adoption.<\/span><\/p>\n

Mozilla Observatory Grading<\/span><\/h3>\n

Despite this progress, the vast majority of top websites around the web continue not to use Content Security Policy, Strict Transport Security, or Subresource Integrity. As these technologies \u2014 when properly used \u2014 can nearly eliminate huge classes of attacks against sites and their users, they are given a significant amount of weight in Observatory scans.<\/span><\/p>\n

As a result of their low usage rates amongst top websites, they typically receive failing grades from the Observatory:<\/span><\/p>\n\n\n\n\n\n\n\n\n\n
Grade<\/b><\/td>\nApril 2016<\/b><\/td>\nOctober 2016<\/b><\/td>\nJune 2017<\/b><\/td>\nFebruary 2018<\/b><\/td>\n% Change<\/b><\/td>\n<\/tr>\n
\u00a0 A+<\/span><\/td>\n.003%<\/span><\/td>\n.008%<\/span><\/td>\n.013%<\/span><\/td>\n.018%<\/span><\/td>\n+38%<\/span><\/td>\n<\/tr>\n
A<\/span><\/td>\n.006%<\/span><\/td>\n.012%<\/span><\/td>\n.029%<\/span><\/td>\n.011%<\/span><\/td>\n-62%<\/span><\/td>\n<\/tr>\n
B<\/span><\/td>\n.202%<\/span><\/td>\n.347%<\/span><\/td>\n.622%<\/span><\/td>\n1.08%<\/span><\/td>\n+74%<\/span><\/td>\n<\/tr>\n
C<\/span><\/td>\n.321%<\/span><\/td>\n.727%<\/span><\/td>\n1.38%<\/span><\/td>\n2.04%<\/span><\/td>\n+48%<\/span><\/td>\n<\/tr>\n
D<\/span><\/td>\n1.87%<\/span><\/td>\n2.82%<\/span><\/td>\n4.51%<\/span><\/td>\n6.12%<\/span><\/td>\n+36%<\/span><\/td>\n<\/tr>\n
F<\/span><\/td>\n97.60%<\/span><\/td>\n96.09%<\/span><\/td>\n93.45%<\/span><\/td>\n90.73%<\/span><\/td>\n-2.9%<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

We do see some significant improvements. As <\/span>976,930<\/b> scans were successfully completed in the last survey, a decrease in failing grades by 2.9% implies that over <\/span>27,000<\/b> of the top sites in the world have improved from a failing grade in the last eight months alone. Note that the drop in <\/span>A<\/b> grades is due to a recent change where extra credit points can no longer be used to move up to an <\/span>A<\/b> grade..<\/span><\/p>\n

Thus far, over <\/span>140,000<\/b> websites around the web have directly used the Mozilla Observatory to improve their grades, indicated by making an improvement to their website after an initial scan. Of these <\/span>140,000<\/b> websites, over <\/span>2,800<\/b> have improved all the way from a failing grade to an A or A+ grade.<\/span><\/p>\n

When I first built the Observatory at <\/span>Mozilla<\/span><\/a>, I had never imagined that it would see such widespread use. 6.6M<\/strong> scans across 2.3M<\/strong> unique domains later, it seems to have made a significant difference across the internet. I couldn’t have done it without the support of Mozilla and the security researchers who have helped to improve it.<\/span><\/p>\n

Please share the <\/span>Mozilla Observatory<\/span><\/a> so that the web can continue to see improvements over the years to come!<\/span><\/p>\n


\n<\/a>Footnotes:<\/b><\/p>\n

    \n
  1. Since <\/span>April 2016<\/span><\/a><\/li>\n
  2. Allows <\/span>'unsafe-inline'<\/tt><\/span> in neither <\/span>script-src<\/tt><\/span> nor <\/span>style-src<\/tt><\/span><\/li>\n
  3. Allows <\/span>'unsafe-inline'<\/tt><\/span> in <\/span>style-src<\/tt><\/span> only<\/span><\/li>\n
  4. Amongst sites that set cookies<\/span><\/li>\n
  5. Disallows foreign origins from reading the domain’s contents within user’s context<\/span><\/li>\n
  6. Redirects from HTTP to HTTPS on the same domain, which allows HSTS to be set<\/span><\/li>\n
  7. Redirects from HTTP to HTTPS, regardless of the final domain<\/span><\/li>\n
  8. As listed in the <\/span>Chromium preload list<\/span><\/a><\/li>\n
  9. max-age<\/tt><\/span> set to at least six months<\/span><\/li>\n
  10. Percentage is of sites that load scripts from a foreign origin<\/span><\/li>\n
  11. Percentage is of sites that load scripts<\/span><\/li>\n
  12. CSP <\/span>frame-ancestors<\/tt><\/span> directive is allowed in lieu of an XFO header<\/span><\/li>\n
  13. Strong CSP policy forbidding <\/span>'unsafe-inline'<\/tt><\/span> is allowed in lieu of an XXSSP header<\/span><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"

    Prior to the release of the Mozilla Observatory in June of 2016, I ran a scan of the Alexa Top 1M websites. Despite being available for years, the usage rates … Read more<\/a><\/p>\n","protected":false},"author":1227,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[],"yoast_head":"\nAnalysis of the Alexa Top 1M Sites - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/02\/28\/analysis-alexa-top-1m-sites-2\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"April King\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/02\/28\/analysis-alexa-top-1m-sites-2\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2018\/02\/28\/analysis-alexa-top-1m-sites-2\/\",\"name\":\"Analysis of the Alexa Top 1M Sites - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2018-02-28T23:49:20+00:00\",\"dateModified\":\"2018-02-28T23:49:20+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/cab208d1e0249bd2da73bc39c3d542b7\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/02\/28\/analysis-alexa-top-1m-sites-2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2018\/02\/28\/analysis-alexa-top-1m-sites-2\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/02\/28\/analysis-alexa-top-1m-sites-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Analysis of the Alexa Top 1M Sites\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/cab208d1e0249bd2da73bc39c3d542b7\",\"name\":\"April King\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/dd59dfe8e9604d209d11d9a03e8ab3a6\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/b874e43ec7b59fdca0b4f9b8c3b7cc1b?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/b874e43ec7b59fdca0b4f9b8c3b7cc1b?s=96&d=identicon&r=g\",\"caption\":\"April King\"},\"description\":\"IRC: April\",\"sameAs\":[\"https:\/\/pokeinthe.io\/\",\"https:\/\/x.com\/aprilmpls\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analysis of the Alexa Top 1M Sites - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2018\/02\/28\/analysis-alexa-top-1m-sites-2\/","twitter_misc":{"Written by":"April King","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2018\/02\/28\/analysis-alexa-top-1m-sites-2\/","url":"https:\/\/blog.mozilla.org\/security\/2018\/02\/28\/analysis-alexa-top-1m-sites-2\/","name":"Analysis of the Alexa Top 1M Sites - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2018-02-28T23:49:20+00:00","dateModified":"2018-02-28T23:49:20+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/cab208d1e0249bd2da73bc39c3d542b7"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/02\/28\/analysis-alexa-top-1m-sites-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2018\/02\/28\/analysis-alexa-top-1m-sites-2\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2018\/02\/28\/analysis-alexa-top-1m-sites-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Analysis of the Alexa Top 1M Sites"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/cab208d1e0249bd2da73bc39c3d542b7","name":"April King","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/dd59dfe8e9604d209d11d9a03e8ab3a6","url":"https:\/\/secure.gravatar.com\/avatar\/b874e43ec7b59fdca0b4f9b8c3b7cc1b?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b874e43ec7b59fdca0b4f9b8c3b7cc1b?s=96&d=identicon&r=g","caption":"April King"},"description":"IRC: April","sameAs":["https:\/\/pokeinthe.io\/","https:\/\/x.com\/aprilmpls"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2299"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1227"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2299"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2299\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2299"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2299"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2299"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2299"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}