Sick SSL ecosystem: 90% of HTTPS sites insecure, 75% vulnerable to BEAST attack

When you deal with sensitive or financial information online, be it banking or signing into email, it’s always important to make sure the website shows HTTPS in your web browser so your information is kept private and secure; but that’s not always good enough. In fact, a recent report found that 90% of the world’s 200,000 most popular websites which use HTTPS are actually vulnerable to SSL (Secure Socket Layer) attacks. 75% of the sites are vulnerable to the BEAST SSL attack. Sadly only 10% of SSL-enabled sites are secure.

The SSL ecosystem is sick, really sick. So two months after the RSA Conference where the nonprofit, vendor-neutral Trustworthy Internet Movement (TIM) launched, TIM formed a taskforce to review SSL. On Thursday, TIM kicked off SSL Pulse which is based on assessments and testing by SSL Labs and data on 200,000 SSL-enabled sites “that represent the most popular websites in the world.” The SSL Pulse project will continuously update a dashboard that tracks how well SSL is implemented across the top one million websites as ranked by Web analytics firm Alexa. SSL Pulse is supposed to show us “the state of the SSL ecosystem at a glance.”

Of the 198,216 most popular HTTPS sites first analyzed, 75% (148,002) of the sites are vulnerable to the BEAST attack. If a site leads you to believe you are safe and the site is secure, should you believe it? Apparently not since 90% (179,192) of SSL-enabled sites are actually insecure. It’s extremely disturbing that of nearly 200,000 websites claiming to be secure, only 9.59% or 19,024 sites are truly secure. Furthermore, according to the TIM blog, of the 99,903 (50%) of the sites that still managed to get an A grade from SSL Labs, “many of these A-grade sites (still) support insecure renegotiation (8,522 sites, or 8.5% of the well-configured ones) or are vulnerable to the BEAST attack (72,357 sites, or 72.4% of the well-configured ones).”

So the name of game is to name and shame companies that do not keep their websites secure. “We’ll be making it public,” TIM’s founder Philippe Courtot told BBC. “Everyone is now going to be able to see who has a good grade and who has a bad grade.” Since that may make some companies sweat, TIM also published an SSL/TLS Deployment Best Practices [PDF] guide “with clear and concise instructions to help overworked administrators and programmers spend the minimum time possible to deploy a secure site or web application.”

But running automated tools against SSL-enabled sites to test how well the protocol has been implemented is only the first step. The second step involves TIM working with governments and companies to check that certificate authorities (CA) are well run and not compromised. Most folks feel fairly safe when they see the padlock in their browser window which allegedly indicates a secure connection for private communications like email or banking. Just the same, an eavesdropper who has obtained a fake digital certificate can impersonate the encrypted website that you are visiting and negotiate a man-in-the-middle (MITM) attack.

In the spoofed spy cert arena, you might recall the DigiNotar debacle in which the company failed to immediately report being hacked. That translated, at the time, to “pretty much if you use the web, then a site you accessed had been targeted.” Microsoft, Google and Mozilla brought down the browser ban hammer on DigiNotar Certificate Authority and revoked access to any DigiNotar digital certificates. Not too long afterward, DigiNotar went belly-up bankrupt.

Both the sick SSL ecosystem and the CA issue are big problems, so TIM appointed an SSL Internet Taskforce of security and industry experts such as Taher Elgamal, one of the creators of the SSL protocol; Adam Langley, a Google software engineer responsible for SSL in Chrome and on the company’s front-end servers; Moxie Marlinspike, who has written extensively about the problems within the SSL protocol. Marlinspike is also the creator of the Convergence project that offers an alternative method for SSL certificate validation; Michael Barrett, chief information security officer at PayPal; Ivan Ristic, the creator of the Qualys SSL Labs; and Ryan Hurst, the chief technology officer at certificate authority GlobalSign.

You can check out key figures at SSL Pulse or enter a domain name to test if the site is genuinely secure and trusted.  

Image credit: SSL Pulse

Like this? Here’s more posts:

• Stop Cyber Spying: Stop CISPA the New Enemy of the Internet
• Smile for the drone: Coming to police stations near you soon
• FBI Warns Smart Meter Hacking May Cost Utility Companies $400 Million A Year
• Will we trade freedom for application security?
• Senator Al Franken: Privacy is a Fundamental Right
• Counterterrorism database stores all Americans as potential domestic terrorists
• Is Google co-founder in ‘digital denial’ about walled gardens and web freedom?
• New Gov’t Weapon: Warrantless Cell Phone Surveillance
• CIA wants to spy on you through your appliances
• Court to DOJ: Surfing on Work PC Isn’t Hacking
• US-CERT: Social engineers target utilities with fake Microsoft support calls
• Microsoft Patches Hotmail after 0-day Remote Password Reset Exploited in the Wild
• No warrant needed, no privacy: Judge rules even deleted tweets can be used in court
• DHS social media monitoring: Watched Facebook, emailed police, arrested photographer
• NSA Domestic Intercept Map? NSA Lies, Spies in Orwellian World of Gov’t Surveillance

Follow me on Twitter @PrivacyFanatic