Performing tasks online saves us so much time that we often take this convenience for granted. For instance, instead of visiting a bank, we are paying bills and transferring funds using our mobile devices or a PC. The same goes for making online purchases; within a few taps or clicks, goods are ordered and delivered to our doorsteps. Planning for a trip? Comparing costs and booking flights and accommodations online is easier than ever. All transactions stated above require you to browse through various websites. Possibly spending a considerable amount of time while visiting the websites and even submitting personal information. How do we know if all these transactions are protected and secure?
Given over a billion websites exist, not every website offers sufficient security. Therefore, numerous websites expose their visitors’ online activities and personal information to serious security threats. These may lead to potential identity theft or even financial loss.
For this article, I am going to test the website security of sixteen VoIP (Voice-over-IP) providers using an SSL (Secure Sockets Layer) Server Testing tool offered by Qualys SSL Labs. The rankings will be under four categories: Surpass (A+), Standard (A, A-, B+, B), Below Standard (B-, C+, C, C-) and Fail (everything else). I will then examine differences that separate the most secure websites from the worst.
Please note, the ranking below is solely based on SSL testing which represents only one aspect of website security and does not address all security issues a website may face.
- www.phonepower.com (Grade: A)
- www.telehop.com (Grade: A)
- www.vmedia.ca (Grade: A)
- www.voipmuch.ca (Grade: A)
- www.voipo.com (Grade: A)
- www.altimatel.com (Grade: A-)
- www.1-voip.com (Grade: A-)
- www.worldline.com (Grade: A-)
- www.teksavvy.com (Grade: B)
- www.vonage.ca (Grade: B)
- www.yak.ca (Grade: C)
- www.acanac.ca (Grade: C)
- www.comwave.net (Grade: F)
- www.iristel.ca (Grade: F)
- www.ooma.com (Grade: F)
- www.primus.ca (Grade: F)
*If your current VoIP phone provider is not listed above, you can find out your current provider’s grade by clicking here. To review the results we obtained you can check this document here.
SSL Server Testing tool used for this article has four main grading criteria: Certificate Quality, Protocol Support, Key Exchange Support, and Cipher Support. You can read their server rating guide here for more details. I will go over each ranking category and discuss what factors might have affected a provider’s website security ranking.
First of all, no one from our VoIP provider list earned a spot in the Surpass category (Grade A+). In order to earn A+, a website must achieve Grade A in all four grading criteria mentioned above (Certificate Quality, Protocol Support, Key Exchange Support, and Cipher Support). In addition, it needs to be protected by HTTP Strict Transport Security (HSTS). For more information about HSTS, click here.
Most VoIP providers from our list fall within the Standard category for receiving Grade B and higher. Many reputable VoIP providers are in the Standard category because they are relatively strong in all four grading criteria. Grades of both Vonage and Teksavvy are capped at B which places them at the lower end of the Standard category. Teksavvy could have had a higher grade if it had a stronger Diffie Hellman Key Exchange.
Vonage could have scored better if it supports both the newer RC4 cipher and Forward Secrecy. Forward Secrecy support would also have helped Altima Telecom and Worldline score slightly better (from A- to A). Regardless of the actual letter grade, VoIP providers shown in our Standard category are much more prepared to face online threats than those ranked in the following two categories.
Two VoIP providers fall under the Below Standard category because both managed only Grade C in the SSL Server Testing. They are Acanac and 1-VoIP. Their weaknesses are identical and include a weak Diffie-Hellman key exchange; lack of support for Forwarding Secrecy and accepting the only older version of the RC4 cipher. Since both websites only support older protocols (not the current best TLS 1.2.), their grades are capped at C.
Shopping Cart Insecurity
Finally, there are a few VoIP providers’ websites that were given a grade of F. Upon closer inspection, the SSL test results indicate these websites lack sufficient Protocol Security support so they are deemed insecure due to vulnerability to attacks. One prime example is Primus (no pun intended). Its website scored well in 3 out of the 4 criteria. However, without proper Protocol support, it was given an F because the website has OpenSSL Padding Oracle vulnerability. Iristel is quite similar to Primus where it received good marks in 3 out of the 4 criteria but its obsolete protocol dragged its ranking down to F as well. Despite having HSTS (HTTP Strict Transport Security) protection, Ooma also earned a grade of F due to a lack of Protocol Support. Finally, Comwave has at least three vulnerability issues leading to a Grade F.
Gonevoip’s goal is to see providers achieve “Standard”. We have contacted providers and we know work is underway towards improving their site’s security. Do some, in spite of us telling them have not responded about what they are doing/planning to do.
To wrap things up, a website has to be secure. Not just be easy to browse.
More importantly, it must keep its security measures up-to-date to protect the website itself and ultimately protecting its users’ online activities and private information. After going over the factors which affect a website’s security ranking, it became clear that a VoIP provider’s website (or any website) should pay more attention to its SSL configuration. Ideally, the provider should test its website security regularly to ensure all security measures are up-to-date. Even a minor outdated SSL component will render the website extremely vulnerable to cyber-attacks.
Below are a couple of simple tips to follow if you ever need to submit personal information online. First, select websites that are reputable and secure. To decide whether the website is secure or not, the URL address should start with “HTTPS” because HTTPS consists of three layers of website protection (Encryption; Data Integrity; Authentication). For example, https://gonvevoip.ca is more secure than https://gonevoip.ca. Second, avoid submitting private information to any websites (secure or not) while connected to a public Wi-Fi network; even with a password. You don’t know if the Wi-Fi network is secure or even scarier, it could have been set up by a scammer on purpose who can monitor every key-stroke of your online activity. Do all online transactions at home, if possible.