90% of HTTPS Websites Insecure, Team Created to Address It

Recently the most popular websites using secure online transactions (Online stores, banks, communication sites, etc.) were tested for security and most did not fare very well. Of the approximately 200,000 HTTPS SSL encrypted websites tested, only about 10% are properly secured according to the Trustworthy Internet Movement (TIM). Also, about 75% of the sites are still vulnerable to a BEAST attack.

The test used checks for several key factors used in SSL encryption including:

  • Cipher Strength
  • Key Exchange
  • Protocol Support
  • Certificate Information

The woes of SSL communication have been known for several years now. Years ago, security expert Moxie Marlinspike has shown that SSL communications can be intercepted using a man-in-the-middle attack and the encryption can be stripped away so the unencrypted information read using a program called SSLstrip.

Also, one of the tests used by the TIM checked SSL sites for a vulnerability to the Browser Exploit Against SSL/TLS (BEAST) attack. The BEAST attack exposes a vulnerability that was discovered in SSL in 2004. The attack is a combination of Javascript and network sniffer that decrypts session cookies which can then be used to hijack and take over the user’s logged in session.

A video of BEAST in operation along with additional information on the attack tool can be found on one of the developer’s websites.

TIM has created a taskforce of world renown security experts to try to tackle the SSL issue:

“The Trustworthy Internet Movement (TIM) is convening a task force that includes Taher Elgamal, one of the creators of the SSL protocol; Moxie Marlinspike, creator of Convergence; Ivan Ristic, director of engineering at Qualys; and other experts from Google, PayPal and GlobalSign. Ristic founded SSL Labs, a research project to measure and track the effective security of SSL on the internet.”

Changes definitely need to be made to the secure online transaction system. Even so, several of the SSL issues have already been addressed, and sadly it seems that the appropriate measures to properly secure SSL have just not been taken.

Marine Shot During Craigslist Transaction

A US Marine was shot three times during a robbery attempt at a Craigslist transaction. Lt. Col. Karl Trenker stood in for his fiance when a business transaction went very bad.

It was supposed to end like thousands of other Craigslist sales, except the buyers had other things in mind. When Lt. Col. Trenker presented a gold chain to one of the prospective buyers, he took off with it. Col. Trenker, having none of that, took after him and ended up getting shot three times.

His military experience helped him stay calm and survive, as he actually plugged the bullet holes with his fingers to slow blood flow until help arrived. The thieves were apprehended shortly thereafter.

Lt. Col. Trenker’s fiance was originally going to go to the meeting by herself, thank God that he would not let her go, and went in her place. The Trenker’s are meeting with the CEO of Craigslist to talk about how to make transactions safer in the future.

Please be very careful out there when dealing with unknown people that you meet online. Never go alone, meet in a public place and have a cell phone with you at all times.