Washington, DC - The Federal Trade Commission today released a staff report that examines 11 web-hosting services that market themselves to small businesses and finds that many do not provide by default certain email authentication and anti-phishing technologies, potentially leaving many small firms at risk of facilitating phishing scams.
In a Staff Perspective, “Do Web Hosts Protect Their Small Business Customers with Secure Hosting and Anti-Phishing Technologies?”, the FTC’s Office of Technology Research and Investigation examined the security features offered by certain web hosting services that cater to small businesses. The research was prompted by a series of roundtable discussions around the country that the FTC held in 2017, in which many small business owners said that choosing web hosting and email providers was one of the key challenges they face.
The research found that many of the examined web hosts are helping small businesses implement SSL/TLS, with the majority of hosts integrating the process into their basic hosting plans or offering them as straightforward options for an additional fee. SSL/TLS technology ensures users are visiting a legitimate website and not an imposter. It also provides encrypted communications to protect personal information sent between the website and a user’s computer, as well as other website security safeguards.
The Staff Perspective notes, however, that of the 11 web hosting companies examined by FTC staff, few offer straightforward access to email authentication and anti-phishing technologies. These include domain-level authentication systems that verify the identity of the domain that email claims to be from (SPF and DKIM) and a related technology that can be used to instruct receiving email services to reject the delivery of messages that wrongly claim to be from an address at the sender’s domain (DMARC).
In fact, FTC staff found that only two of the web-hosting companies implement SPF or DKIM by default and none offer support for DMARC as a standard feature of their hosting services. Furthermore, three of the 11 hosts do not provide any method for configuring DMARC. Although the use of DMARC is possible with the other eight hosts, their small business customers would need to have independent knowledge of DMARC and configure it on their own – something that a small business that is relying on the web host’s expertise is unlikely to do.
Among other things, the Staff Perspective recommends that small businesses pay close attention to the security features offered by web hosts so that they can choose a host that will protect their websites and email accounts with SSL/TLS and email authentication technologies. It also urges that web hosts implement these technologies for their small business clients. Finally, it recommends that publications that review web hosts evaluate the availability of SSL/TLS and email authentication technologies in their reviews.