Almost All SSL Web Sites Are Insecure, Say Researchers

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

A recent survey by the nonprofit Trustworthy Internet Movement (TIM) found that only 10 percent of SSL implementations on leading Web sites are actually secure.

"The SSL Pulse project, set up by the Trustworthy Internet Movement, looks at several components of each site's SSL implementation to determine how secure the site actually is," writes Threatpost's Dennis Fisher. "The project looks at how each site is configured, which versions of the TLS and SSL protocols the site supports, whether the site is vulnerable to the BEAST or insecure renegotiation attacks and other factors. The data that the SSL Pulse project has gathered thus far shows that the vast majority of the 200,000 sites the project is surveying need some serious help in fixing their SSL implementations."

"Problems include sites that support weak or insecure cipher suites or those running with an incomplete certificate chain, among other shortcomings," writes The Register's John Leyden. "This doesn't necessarily mean such sites are wide open to fraud, but it does mean they might be better protected than they currently stand. "

"Out of the 200,000 sites examined, only 19,024 were configured to withstand an attack discovered in 2009 that allows attackers to inject data into encrypted traffic passing between two endpoints," writes Ars Technica's Dan Goodin. "The vulnerability resides in the SSL protocol itself and can be exploited by renegotiating the protected session, something that often happens to generate a new cryptographic key."

"TIM has established a taskforce of security experts, who will review SSL governance issues and develop proposals aimed at fixing both SSL and the certificate authority systems, both of which have been called into question in recent times," writes TechWeekEurope's Tom Brewster.

"Experts recruited to help with the initiative include SSL's inventor Dr Taher Elgamal; 'white hat' hacker Moxie Marlinspike who has written extensively about attacking the protocol; and Michael Barrett, chief security officer at PayPal," BBC News reports.