Most of the Internet's top 200,000 HTTPS websites are insecure, Trustworthy Internet Movement says

Seventy-five percent of HTTPS websites from Alexa's top one million are vulnerable to the BEAST SSL attack

By Lucian Constantin, IDG News Service |  Data Center

"I believe that most administrators are not aware of the need to perform this task," Ristic said.

Protections against the BEAST attack have already been built into newer browsers. However, there are a lot of people, especially in business environments, who use old browsers like Internet Explorer 6, which are still vulnerable, Ristic said.

SSL Pulse scans also revealed that over 13 percent of the 200,000 HTTPS-enabled websites support the insecure renegotiation of SSL connections. This can lead to man-in-the-middle attacks that compromise SSL-protected communications between users and the vulnerable servers.

"For your average Web site -- which will not have anything of substantial value -- the risk is probably very small," Ristic said. "However, for sites that either have a very large number of users that can be exploited in some way, or high-value sites (e.g., financial institutions), the risks are potentially very big."

Fixing the insecure renegotiation vulnerability is fairly easy and only requires applying a patch, Ristic said.

TIM plans to perform new SSL Pulse scans and to update the statistics on a monthly basis in order to track what progress websites are making with their SSL implementations.

This is part of a larger TIM project that will focus on SSL implementation and governance issues. The organization also announced the creation of an SSL Internet Taskforce on Thursday, to develop and propose solutions for known problems in these key areas.

The taskforce members include Michael Barrett, chief information security officer at PayPal; Taher Elgamal, one of the creators of the SSL protocol; Adam Langley, a Google software engineer responsible for SSL in Chrome and on the company's front-end servers; Moxie Marlinspike, the creator of the Convergence project, which offers an alternative method for SSL certificate validation; Ivan Ristic, the creator of the Qualys SSL Labs and Ryan Hurst, chief technology officer at certificate authority GlobalSign.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question