.be is safe, but there is always room for improvement

11 October 2023

One of the missions of DNS Belgium is to guarantee the security of the Internet in Belgium. We work tirelessly and take numerous initiatives to make .be domain names as secure as possible. With European Cybersecurity Month just around the corner, we thought it would not be a bad idea to check how secure .be domain names actually are. It turns out that they are not too bad, but there is obviously still room for improvement

42 per cent use https 

The best-known criterion for determining whether a website is secure is the https at the beginning. The "s" in it refers to secure, which in full then becomes Hypertext Transfer Protocol Secure. Mind you, https doesn't actually say anything about the authenticity of the website itself. It only confirms that the connection you have with that website is secure.  

The crawler we developed for .be websites helped us find out how many .be websites use https. That turned out to be 42 per cent. 38 per cent are still using the unsecured protocol (http). And no, that sum of both does not add up to a total of 100 because of the 1,740,869 .be domain names, there are 352,482 or 20 per cent to which no website is linked.   

That 38 per cent still using http is somewhat worrying, but fortunately we can nuance that percentage. Barely 9 per cent of those 38 are websites that are actively used. The remaining 29 per cent we call 'low content' websites: they usually have an empty placeholder page. If you are not actively using your domain name and website, it is also not that important whether the connection to it is secure or not. 

A few months ago, Microsoft announced that Windows 11 will discontinue support for TLS 1.0 and 1.1 starting in September. TLS (Transport Layer Security) is a security layer that works with a public and a secret key and encrypts data during transfer.  

The fact that Microsoft will stop offering TLS1.0 and 1.1 is not a problem for most websites because they already use TLS1.2 or a more recent version. Just to be sure, we took a quick look at how many .be domain names are affected by this decision. It turns out there are 3,190.   

1,613 of them are low content. Which means that 1,574 websites with 'real content' will no longer work after the update. 

Securing your e-mail address 

A domain name may also include e-mail addresses. To protect your e-mail address from spoofing and phishing , domain name holders can take various measures (). One of these is the Sender Policy Framework (SPF). This is a list of approved servers that are allowed to send e-mails from your domain. Without SPF, someone with malicious intent could pretend to send e-mails on your behalf. Domain name holders seem well aware of the importance of SPF: SPF is used for 49.73 per cent of .be domain names.   

If the SPF is a kind of verified postman, you could say DKIM (Domain Keys Identified Mail) is a stamp that seals the envelope and confirms the authenticity of the sender. For 37.2 per cent of .be domain names, DKIM signatures confirm the authenticity of e-mail messages. Clearly some room for improvement there.   

DMARC (Domain-based Message Authentication, Reporting, and Conformance) completes the row of unpronounceable acronyms. It is an extra check that ensures nothing slips through the loopholes of the previous two measures and makes it even harder for cybercriminals to impersonate someone else. Barely a fifth of domainers protect their emails with DMARC. 

Always room for improvement 

We did a statistical sampling of 58,358 .be domain names to investigate some of the lesser-known ways to secure a website. These include ways to add extra security layers to your domain name that prevent hackers from modifying data on your website, telling browsers to automatically use https on the next visit, and what to expect on your website. For the specialists: specifically, it was about CSP, HSTS, X-Frame-Options and X-Content-Type-Options.  

The sample makes it clear that we should strongly encourage the use of these possibilities, with a maximum of 20 per cent of .be websites using one of them. (6 per cent for CSP, 14.2 per cent for HSTS, and 13.6 per cent and 19.7 per cent respectively for X-Frame-Options and X-Content-Type-Options).  

The last security method we tested is Domain Name System Security Extensions ( DNSSEC ). This ensures that you can check whether someone is trying to forge your DNS records to steal your domain name or website. Again, there is still a lot of room for improvement, as only 30 per cent of .be domain names are equipped with this security measure. 

Does that mean .be websites are unsafe?  

Not at all. First, all websites where important data is exchanged, such as bank websites or government portals, are very well protected in the .be zone. This does not mean that you should not be wary of phishing, for example.   

It is mainly the 'smaller' websites, owned by individuals, clubs or associations, where correct and secure configuration could be done better. Only by improving these can we prevent a domain name being used for criminal purposes. It is a joint effort to implement and refine security protocols so that everyone can be safer online. 

With this article, we support the United Nations Sustainable Development Goals.