90% of HTTPS Websites Insecure, Team Created to Address It

Recently the most popular websites using secure online transactions (Online stores, banks, communication sites, etc.) were tested for security and most did not fare very well. Of the approximately 200,000 HTTPS SSL encrypted websites tested, only about 10% are properly secured according to the Trustworthy Internet Movement (TIM). Also, about 75% of the sites are still vulnerable to a BEAST attack.

The test used checks for several key factors used in SSL encryption including:

  • Cipher Strength
  • Key Exchange
  • Protocol Support
  • Certificate Information

The woes of SSL communication have been known for several years now. Years ago, security expert Moxie Marlinspike has shown that SSL communications can be intercepted using a man-in-the-middle attack and the encryption can be stripped away so the unencrypted information read using a program called SSLstrip.

Also, one of the tests used by the TIM checked SSL sites for a vulnerability to the Browser Exploit Against SSL/TLS (BEAST) attack. The BEAST attack exposes a vulnerability that was discovered in SSL in 2004. The attack is a combination of Javascript and network sniffer that decrypts session cookies which can then be used to hijack and take over the user’s logged in session.

A video of BEAST in operation along with additional information on the attack tool can be found on one of the developer’s websites.

TIM has created a taskforce of world renown security experts to try to tackle the SSL issue:

“The Trustworthy Internet Movement (TIM) is convening a task force that includes Taher Elgamal, one of the creators of the SSL protocol; Moxie Marlinspike, creator of Convergence; Ivan Ristic, director of engineering at Qualys; and other experts from Google, PayPal and GlobalSign. Ristic founded SSL Labs, a research project to measure and track the effective security of SSL on the internet.”

Changes definitely need to be made to the secure online transaction system. Even so, several of the SSL issues have already been addressed, and sadly it seems that the appropriate measures to properly secure SSL have just not been taken.

SSL Compromised by Hackers and Feds?

It has been known for a while that SSL security, the same security that you use for online banking and online ordering is very susceptible to man-in-the-middle attacks. Moxie Marlinspike has proven for a couple of years now how vulnerable SSL is and keeps updating his SSLStrip program with new features.

Now, according to Wired magazine, the government has spying boxes that allow them to intercept and eavesdrop on SSL communication. So, just following the bunny trail, if government agencies have access to these boxes, what is to say that hackers do not have access to these boxes or something else that does the same thing?

You really need to be careful when ordering or banking online. The biggest threat is someone getting in between your system and your router/switch. If you are on a wireless network, make sure you are using WPA2 encryption, and are using a strong password. If you are on a wired lan, it is a good idea to have the windows firewall running. Do not do any secure communications from public access areas.

These things will help some, but if SSL truly is compromised, they will not help much.