Ninety percent of the Internet's top 200,000 HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM), a nonprofit organization dedicated to solving Internet security, privacy and reliability problems.
The report is based on data from a new TIM project called SSL Pulse, which uses automated scanning technology developed by security vendor Qualys, to analyze the strength of HTTPS implementations on websites listed in the top one million published by Web analytics firm Alexa.
SSL Pulse checks what protocols are supported by the HTTPS-enabled websites (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, etc.), the key length used for securing communications (512 bits, 1024 bits, 2048 bits, etc.) and the strength of the supported ciphers (256 bits, 128 bits or lower).
HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM)
That's good info that they are sharing but hope this do not dwell into misnomer among non techie users (online buyers) as security vulnerability especially in emerging online economies like India. On Second thought, ideally https should be more preferred by search engines than http as they are being equipped with good usability, trusted, and malware-free websites. Since most of them are trnx based but still they are not favored to that extent, albeit big brands enjoy biasedness whether they are http or https
9:07 am on Apr 28, 2012 (gmt 0)
And 90% of those HTTPS site preach about how secure they are.
There should be a universal disclaimer that tells everyone the internet is NOT secure be it from hackers, scam artists, spy agencies and even(especially) your own government. If it was universally accepted NOT to be safe people wouldn't ever assume it is. In many cases the things you type are recorded even BEFORE you press send/post/publish/next and whatnot. The net isn't secure, it never will be, that should be the only message given anywhere.
11:20 am on Apr 28, 2012 (gmt 0)
While it may not be an excuse how many of these sites surveyed utilize https but don't really need it? I have one site if I switched on https the only thing on it would be contact form you might want encrypted.
What would be interesting is to see how many sites fail that gather personal information, especially those gathering financial information.
12:50 pm on Apr 28, 2012 (gmt 0)
Nothing new, a bit of marketing for Qualys I suppose. Someone should do a survey on websites that use FTP and Email, two more insecure protocols
2:20 pm on Apr 28, 2012 (gmt 0)
I'm glad that I saw this post. I ran the free scanner on my website, and got a "B" grade, because I had forgotten to disable SSL 2.0 on my server, when I switched servers a few months back. The report said that I was one of the 90% vulnerable to the Beast.
I quickly fixed my oversight, and now receive an "A".
Thanks for posting this!
2:47 pm on Apr 28, 2012 (gmt 0)
Got an A rating right out of the chute...but BEAST vulnerable. Looks like the fix is a double edged sword.
3:42 am on Apr 29, 2012 (gmt 0)
I too had an A, but was still listed as vulnerable.
From my host:
It's an attack that has been documented on some level for about ten years. The fix on that site does not appear to work as advertised, or the scanner is not detecting things properly, as even when applied it does not say the vulnerability is solved.
BEAST vulnerable. Looks like the fix is a double edged sword.
Yeah, is anyone implementing it?
5:08 pm on Apr 30, 2012 (gmt 0)
My scan indicated not vulnerable on the BEAST issue and I am really not sure what I did when I hardened the server to be compliant with my cc processing to stop this threat.
1:58 pm on May 1, 2012 (gmt 0)
From my host: It's an attack that has been documented on some level for about ten years. The fix on that site does not appear to work as advertised, or the scanner is not detecting things properly, as even when applied it does not say the vulnerability is solved.
Yes its been around since about 1999, andthe fix does not work as advertised on the article.
To fix, SSL needs to be be upgraded to TLS 1.1 or TLS 1.2 (largely unsupported) and then apply MS12-006 if using Windows. But as the client and server need pathching there is no real fix!