IPVM Site Goes All HTTPS, Largest 3 Manufacturers Do Not [Axis, Dahua Fixed]By: John Honovich, Published on Jul 12, 2016
IPVM.com now serves all pages over HTTPS to improve security and privacy. However, a number of video surveillance manufacturers do not, including the largest 3. We review both of these items, including notable manufacturers lack of support in this report.
Moving to All HTTPS
HTTPS encrypts connections between a visitor and a server / site like IPVM. This reduces risk against attacks, tampering and eavesdropping when visiting a site.
HTTPS everywhere is a rising trend. Historically, HTTPS was used only for specific pages on a site, such as login / authentication and sending of specific sensitive information. Over the last few years, technology leaders have increasingly shifted to using HTTPS for all connections. In particular, Google is campaigning for "HTTPS Everywhere".
Adding EV Certificate
In addition to serving all IPVM.com pages over HTTPS, we have obtained an Extended Validation (EV) Certificate. This goes beyond simply using an HTTPS connection, adding an identity validation process (where a certificate authority manually verifies an organization) to provide further assurances to our visitors.
Now, IPVM pages show an additional Green bar on Chrome, signifying our EV certificate, before the URL entry like so:
This is similar to the security / assurances large corporations provide, e.g., here is Bank of America:
While there are always cyber security risks and HTTPS is not a cure all, we expect implementing HTTPS site wide and adding an EV certificate to improve security and privacy when viewing IPVM.
For those wanting more direct benefits, Google indicates potential SEO / search traffic improvements for sites using HTTPS.
Moreover, the process of doing this was not particularly hard. Even a site with as many sections / elements as IPVM took less than 40 hours total to do the migration, solve any bugs in the transition and get the EV certificate added.
However, quite a number of large industry players do not.
No Default HTTPS
Of the manufacturers IPVM most frequently covers, here are those who do NOT default to HTTPS:
- (NO) Arecont Vision
- (NO) Avigilon
- (NO) Axis
- (NO) Dahua [link no longer available]
- (NO) Genetec
- (NO) Hikvision
This includes the 3 biggest manufacturers in the world, companies one would expect to be on the forefront of things like that (Hikvision and their 5,000 engineers, Axis and their cybersecurity marketing, etc.)
UPDATE and Axis Warning
Not only does Axis not use HTTPS by default, they do not use HTTPS on their login page. This presents a risk of one's password being stolen before it is submitted via HTTPS. This is demonstrated at StealMyLogin. [Hat tip U1, who called this out in the comments]
Unfortunately and ironically, Axis requires this insecure login to access firmware to solve their critical security vulnerability (which we strongly recommend you do).
[Update Nov 2016: Axis has added HTTPS for their login page.]
[Update April 2017: Dahua has added HTTPS for their website [link no longer available]]
Yes Default HTTPS
By contrast, here are some manufacturers that DO default to HTTPS:
- (YES) Exacq (with an EV certificate)
- (YES) Hanwha Security [link no longer available] (formerly Samsung)
- (YES) Pelco
- (YES) Milestone
- (YES) Arecont Vision (with an EV certificate) added September 2016)
- (YES) Genetec added November 2016
Both ADI and Anixter default to HTTPS. Surprisingly, PSA Security, who is heavily marketing cybersecurity, has not. Additionally, Tri-Ed has not either.
ASIS defaults to HTTPS and has an EV certificate but SIA, who is also heavily marketing cybersecurity, has not.
None of the 7 trade magazines we checked had defaulted to HTTPS though, in fairness, they are still focused on print.
Larger organizations that have lots of customers should default to HTTPS. We definitely expect many more manufacturers to do so.
If you have more information or you company has moved to site-wide HTTPS, leave a comment so it is noted.