homepage Welcome to WebmasterWorld Guest from 54.204.141.129
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Survey: 90pct Of HTTPS Sites Are Insecure
engine




msg:4446615
 5:29 pm on Apr 27, 2012 (gmt 0)

Survey: 90pct Of HTTPS Sites Are Insecure [pcworld.com]
Ninety percent of the Internet's top 200,000 HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM), a nonprofit organization dedicated to solving Internet security, privacy and reliability problems.

The report is based on data from a new TIM project called SSL Pulse, which uses automated scanning technology developed by security vendor Qualys, to analyze the strength of HTTPS implementations on websites listed in the top one million published by Web analytics firm Alexa.

SSL Pulse checks what protocols are supported by the HTTPS-enabled websites (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, etc.), the key length used for securing communications (512 bits, 1024 bits, 2048 bits, etc.) and the strength of the supported ciphers (256 bits, 128 bits or lower).



Earlier story
Sites With Good and Bad Security To Be Named By New Security Group [webmasterworld.com]

 

webindia123




msg:4446703
 10:20 pm on Apr 27, 2012 (gmt 0)

HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM)

That's good info that they are sharing but hope this do not dwell into misnomer among non techie users (online buyers) as security vulnerability especially in emerging online economies like India.
On Second thought, ideally https should be more preferred by search engines than http as they are being equipped with good usability, trusted, and malware-free websites.
Since most of them are trnx based but still they are not favored to that extent, albeit big brands enjoy biasedness whether they are http or https

Sgt_Kickaxe




msg:4446799
 9:07 am on Apr 28, 2012 (gmt 0)

And 90% of those HTTPS site preach about how secure they are.

There should be a universal disclaimer that tells everyone the internet is NOT secure be it from hackers, scam artists, spy agencies and even(especially) your own government. If it was universally accepted NOT to be safe people wouldn't ever assume it is. In many cases the things you type are recorded even BEFORE you press send/post/publish/next and whatnot. The net isn't secure, it never will be, that should be the only message given anywhere.

thecoalman




msg:4446837
 11:20 am on Apr 28, 2012 (gmt 0)

While it may not be an excuse how many of these sites surveyed utilize https but don't really need it? I have one site if I switched on https the only thing on it would be contact form you might want encrypted.

What would be interesting is to see how many sites fail that gather personal information, especially those gathering financial information.

aspdaddy




msg:4446863
 12:50 pm on Apr 28, 2012 (gmt 0)

Nothing new, a bit of marketing for Qualys I suppose. Someone should do a survey on websites that use FTP and Email, two more insecure protocols

jwolthuis




msg:4446883
 2:20 pm on Apr 28, 2012 (gmt 0)

I'm glad that I saw this post. I ran the free scanner on my website, and got a "B" grade, because I had forgotten to disable SSL 2.0 on my server, when I switched servers a few months back. The report said that I was one of the 90% vulnerable to the Beast.

I quickly fixed my oversight, and now receive an "A".

Thanks for posting this!

backdraft7




msg:4446891
 2:47 pm on Apr 28, 2012 (gmt 0)

Got an A rating right out of the chute...but BEAST vulnerable. Looks like the fix is a double edged sword.

brokaddr




msg:4447113
 3:42 am on Apr 29, 2012 (gmt 0)

I too had an A, but was still listed as vulnerable.

From my host:
It's an attack that has been documented on some level for about ten years. The fix on that site does not appear to work as advertised, or the scanner is not detecting things properly, as even when applied it does not say the vulnerability is solved.


For more information on the attack, you can read here: [status.helloworldweb.com...]

Tonearm




msg:4447405
 8:42 am on Apr 30, 2012 (gmt 0)

BEAST vulnerable. Looks like the fix is a double edged sword.

Yeah, is anyone implementing it?

bwnbwn




msg:4447585
 5:08 pm on Apr 30, 2012 (gmt 0)

My scan indicated not vulnerable on the BEAST issue and I am really not sure what I did when I hardened the server to be compliant with my cc processing to stop this threat.

aspdaddy




msg:4447969
 1:58 pm on May 1, 2012 (gmt 0)

From my host:
It's an attack that has been documented on some level for about ten years. The fix on that site does not appear to work as advertised, or the scanner is not detecting things properly, as even when applied it does not say the vulnerability is solved.


Yes its been around since about 1999, andthe fix does not work as advertised on the article.

To fix, SSL needs to be be upgraded to TLS 1.1 or TLS 1.2 (largely unsupported) and then apply MS12-006 if using Windows. But as the client and server need pathching there is no real fix!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved