Welcome to WebmasterWorld Guest from 107.20.54.98

Forum Moderators: phranque

Message Too Old, No Replies

Survey: 90pct Of HTTPS Sites Are Insecure

     
5:29 pm on Apr 27, 2012 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:22282
votes: 236


Survey: 90pct Of HTTPS Sites Are Insecure [pcworld.com]
Ninety percent of the Internet's top 200,000 HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM), a nonprofit organization dedicated to solving Internet security, privacy and reliability problems.

The report is based on data from a new TIM project called SSL Pulse, which uses automated scanning technology developed by security vendor Qualys, to analyze the strength of HTTPS implementations on websites listed in the top one million published by Web analytics firm Alexa.

SSL Pulse checks what protocols are supported by the HTTPS-enabled websites (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, etc.), the key length used for securing communications (512 bits, 1024 bits, 2048 bits, etc.) and the strength of the supported ciphers (256 bits, 128 bits or lower).



Earlier story
Sites With Good and Bad Security To Be Named By New Security Group [webmasterworld.com]
10:20 pm on Apr 27, 2012 (gmt 0)

Junior Member

joined:Apr 20, 2012
posts: 188
votes: 0


HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM)

That's good info that they are sharing but hope this do not dwell into misnomer among non techie users (online buyers) as security vulnerability especially in emerging online economies like India.
On Second thought, ideally https should be more preferred by search engines than http as they are being equipped with good usability, trusted, and malware-free websites.
Since most of them are trnx based but still they are not favored to that extent, albeit big brands enjoy biasedness whether they are http or https
9:07 am on Apr 28, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member sgt_kickaxe is a WebmasterWorld Top Contributor of All Time 5+ Year Member

joined:Apr 14, 2010
posts:3169
votes: 0


And 90% of those HTTPS site preach about how secure they are.

There should be a universal disclaimer that tells everyone the internet is NOT secure be it from hackers, scam artists, spy agencies and even(especially) your own government. If it was universally accepted NOT to be safe people wouldn't ever assume it is. In many cases the things you type are recorded even BEFORE you press send/post/publish/next and whatnot. The net isn't secure, it never will be, that should be the only message given anywhere.
11:20 am on Apr 28, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 4, 2004
posts:877
votes: 0


While it may not be an excuse how many of these sites surveyed utilize https but don't really need it? I have one site if I switched on https the only thing on it would be contact form you might want encrypted.

What would be interesting is to see how many sites fail that gather personal information, especially those gathering financial information.
12:50 pm on Apr 28, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 13, 2002
posts:2162
votes: 0


Nothing new, a bit of marketing for Qualys I suppose. Someone should do a survey on websites that use FTP and Email, two more insecure protocols
2:20 pm on Apr 28, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 6, 2005
posts:670
votes: 0


I'm glad that I saw this post. I ran the free scanner on my website, and got a "B" grade, because I had forgotten to disable SSL 2.0 on my server, when I switched servers a few months back. The report said that I was one of the 90% vulnerable to the Beast.

I quickly fixed my oversight, and now receive an "A".

Thanks for posting this!
2:47 pm on Apr 28, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Mar 4, 2010
posts:1302
votes: 0


Got an A rating right out of the chute...but BEAST vulnerable. Looks like the fix is a double edged sword.
3:42 am on Apr 29, 2012 (gmt 0)

Junior Member

5+ Year Member

joined:July 13, 2010
posts:170
votes: 0


I too had an A, but was still listed as vulnerable.

From my host:
It's an attack that has been documented on some level for about ten years. The fix on that site does not appear to work as advertised, or the scanner is not detecting things properly, as even when applied it does not say the vulnerability is solved.


For more information on the attack, you can read here: [status.helloworldweb.com...]
8:42 am on Apr 30, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 5, 2002
posts: 1845
votes: 3


BEAST vulnerable. Looks like the fix is a double edged sword.

Yeah, is anyone implementing it?
5:08 pm on Apr 30, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 25, 2005
posts:3492
votes: 3


My scan indicated not vulnerable on the BEAST issue and I am really not sure what I did when I hardened the server to be compliant with my cc processing to stop this threat.
1:58 pm on May 1, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 13, 2002
posts:2162
votes: 0


From my host:
It's an attack that has been documented on some level for about ten years. The fix on that site does not appear to work as advertised, or the scanner is not detecting things properly, as even when applied it does not say the vulnerability is solved.


Yes its been around since about 1999, andthe fix does not work as advertised on the article.

To fix, SSL needs to be be upgraded to TLS 1.1 or TLS 1.2 (largely unsupported) and then apply MS12-006 if using Windows. But as the client and server need pathching there is no real fix!