Performing tasks online saves us so much time that we often take this convenience for granted. For instance, instead of visiting a bank, we are paying bills and transferring funds using our mobile devices or a PC. Same goes for making online purchases; within a few taps or clicks, goods are ordered and delivered to our doorsteps. Planning for a trip? Comparing costs and booking flights and accommodations online is easier than ever. All transactions stated above require you browsing through various websites; possibly spending considerable amount of time while visiting the websites and even submitting your personal information. How do we know if all these transactions are protected and secure?
Given over a billion websites exist, I hate to inform you that not every website offers sufficient security. Therefore, numerous websites expose their visitors’ online activities and personal information to serious security threats which could potentially result in invasion of privacy, identity theft or even financial loss. For this article, I am going to test website security of sixteen VoIP (Voice-over-IP) providers using a SSL (Secure Sockets Layer) Server Testing tool offered by Qualys SSL Labs. The rankings will be under four categories: Surp ... (A+), Standard (A, A-, B+, B), Below Standard (B-, C+, C, C-) and Fail (everything else). I will then examine differences which separate the most secure websites from the worst.
Please note, the ranking below is solely based on SSL testing which represents only one aspect of website security and does not address all security issues a website may face.
Surp ... (A+)
- www.phonepower.com (Grade: A)
- www.telehop.com (Grade: A)
- www.vmedia.ca (Grade: A)
- www.voipmuch.ca (Grade: A)
- www.voipo.com (Grade: A)
- www.yak.ca (Grade: A)
- www.altimatel.com (Grade: A-)
- www.worldline.com (Grade: A-)
- www.teksavvy.com (Grade: B)
- www.vonage.ca (Grade: B)
- www.comwave.net (Grade: F)
- www.iristel.ca (Grade: F)
- www.ooma.com (Grade: F)
- www.primus.ca (Grade: F)
SSL Server Testing tool used for this article has four main grading criteria: Certificate Quality, Protocol Support, Key Exchange Support and Cipher Support. You can read their server rating guide here for more details. I will go over each ranking category and discuss what factors might have affected a provider’s website security ranking.
First of all, no one from our VoIP provider list earned a spot in the Surp ... category (Grade A+). In order to earn A+, a website must achieve Grade A in all four grading criteria mentioned above (Certificate Quality, Protocol Support, Key Exchange Support and Cipher Support). In addition, it needs to be protected by HTTP Strict Transport Security (HSTS). For more information about HSTS, click here.
Most VoIP providers from our list fall within the Standard category for receiving Grade B and higher. Many reputable VoIP providers are in the Standard category because they are relatively strong in all four grading criteria. Grades of both Vonage and Teksavvy are capped at B which place them at the lower end of the Standard category. Teksavvy could have had a higher grade if it had a stronger Diffie Hellman Key Exchange. Vonage could have scored better if it supports both newer RC4 cipher and Forward Secrecy. Forward Secrecy support would also have helped Altima Telecom and Worldline score slightly better (from A- to A). Regardless of the actual letter grade, VoIP providers shown in our Standard category are much more prepared to face online threats than those ranked in the following two categories.
Two VoIP providers fall under Below Standard category because both managed only Grade C in the SSL Server Testing. They are Acanac and 1-VoIP. Their weaknesses are identical and include: a weak Diffie-Hellman key exchange; lack of support for Forward Secrecy and accepting only older version of RC4 cipher. Since both websites only support older protocols (not the current best TLS 1.2.), their grades are capped at C.
Finally, there are a few VoIP providers’ websites which were given a grade of F. Upon closer inspection, the SSL test results indicate these websites lack sufficient Protocol Security support so they are deemed insecure due to vulnerability to attacks. One prime example is Primus (no pun intended). Its website scored well in 3 out of the 4 criteria. However, without a proper Protocol support, it was given an F because the website has OpenSSL Padding Oracle vulnerability. Iristel is quite similar to Primus where it received good marks in 3 out of the 4 criteria but its obsolete protocol dragged its ranking down to F as well. Despite of having HSTS (HTTP Strict Transport Security) protection, Ooma also earned a grade of F due to lack of Protocol Support. Finally, Comwave has at least three vulnerability issues leading Grade F.
Our goal at Gonevoip is to see all providers achieve "Standard"; in that we have contacted providers and we know work is underway towards improving their site's security (1-VoIP) while otherd inspite of us contacting them have not responded about what they are doing/planing to do. To wrap things up, you can decide for yourself which VoIP providers’ websites from our list offers a well-rounded customer experience. This means a website should not only be easy to navigate; provides convenience and offer relevant information to its users. More importantly, it must keep its security measures up-to-date to protect the website itself and ultimately protecting its users’ online activities and private information. After going over the factors which affect a website’s security ranking, it became clear that a VoIP provider’s website (or any website) should pay more attention to its SSL configuration. Ideally, the provider should test its website security regularly to ensure all security measures are up-to-date. Even a minor outdated SSL component will render the website extremely vulnerable to cyber-attacks.
Below are a couple of simple tips to follow if you ever need to submit personal information online. First, select websites which are reputable and secure. To decide whether the website is secure or not, the URL address should start with “HTTPS” because HTTPS is consisted of three layers of website protection (Encryption; Data Integrity; Authentication). For example, https://gonvevoip.ca is more secure than http://gonevoip.ca. Second, avoid submitting private information to any websites (secure or not) while connected to a public Wifi network; even with a password. You don’t know if the Wifi network is secure or even scarier, it could have been setup by a scammer on purpose who can monitor every key-stroke of your online activity. Leave online transactions involving private information at home if possible.