90% of HTTPS Websites Insecure, Team Created to Address It

Recently the most popular websites using secure online transactions (Online stores, banks, communication sites, etc.) were tested for security and most did not fare very well. Of the approximately 200,000 HTTPS SSL encrypted websites tested, only about 10% are properly secured according to the Trustworthy Internet Movement (TIM). Also, about 75% of the sites are still vulnerable to a BEAST attack.

The test used checks for several key factors used in SSL encryption including:

  • Cipher Strength
  • Key Exchange
  • Protocol Support
  • Certificate Information

The woes of SSL communication have been known for several years now. Years ago, security expert Moxie Marlinspike has shown that SSL communications can be intercepted using a man-in-the-middle attack and the encryption can be stripped away so the unencrypted information read using a program called SSLstrip.

Also, one of the tests used by the TIM checked SSL sites for a vulnerability to the Browser Exploit Against SSL/TLS (BEAST) attack. The BEAST attack exposes a vulnerability that was discovered in SSL in 2004. The attack is a combination of Javascript and network sniffer that decrypts session cookies which can then be used to hijack and take over the user’s logged in session.

A video of BEAST in operation along with additional information on the attack tool can be found on one of the developer’s websites.

TIM has created a taskforce of world renown security experts to try to tackle the SSL issue:

“The Trustworthy Internet Movement (TIM) is convening a task force that includes Taher Elgamal, one of the creators of the SSL protocol; Moxie Marlinspike, creator of Convergence; Ivan Ristic, director of engineering at Qualys; and other experts from Google, PayPal and GlobalSign. Ristic founded SSL Labs, a research project to measure and track the effective security of SSL on the internet.”

Changes definitely need to be made to the secure online transaction system. Even so, several of the SSL issues have already been addressed, and sadly it seems that the appropriate measures to properly secure SSL have just not been taken.


One thought on “90% of HTTPS Websites Insecure, Team Created to Address It”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.