Welcome to WebmasterWorld Guest from 54.234.8.146

Forum Moderators: phranque

Message Too Old, No Replies

Survey: 90pct Of HTTPS Sites Are Insecure

     

engine

5:29 pm on Apr 27, 2012 (gmt 0)

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



Survey: 90pct Of HTTPS Sites Are Insecure [pcworld.com]
Ninety percent of the Internet's top 200,000 HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM), a nonprofit organization dedicated to solving Internet security, privacy and reliability problems.

The report is based on data from a new TIM project called SSL Pulse, which uses automated scanning technology developed by security vendor Qualys, to analyze the strength of HTTPS implementations on websites listed in the top one million published by Web analytics firm Alexa.

SSL Pulse checks what protocols are supported by the HTTPS-enabled websites (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, etc.), the key length used for securing communications (512 bits, 1024 bits, 2048 bits, etc.) and the strength of the supported ciphers (256 bits, 128 bits or lower).



Earlier story
Sites With Good and Bad Security To Be Named By New Security Group [webmasterworld.com]

webindia123

10:20 pm on Apr 27, 2012 (gmt 0)



HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM)

That's good info that they are sharing but hope this do not dwell into misnomer among non techie users (online buyers) as security vulnerability especially in emerging online economies like India.
On Second thought, ideally https should be more preferred by search engines than http as they are being equipped with good usability, trusted, and malware-free websites.
Since most of them are trnx based but still they are not favored to that extent, albeit big brands enjoy biasedness whether they are http or https

Sgt_Kickaxe

9:07 am on Apr 28, 2012 (gmt 0)

WebmasterWorld Senior Member sgt_kickaxe is a WebmasterWorld Top Contributor of All Time 5+ Year Member



And 90% of those HTTPS site preach about how secure they are.

There should be a universal disclaimer that tells everyone the internet is NOT secure be it from hackers, scam artists, spy agencies and even(especially) your own government. If it was universally accepted NOT to be safe people wouldn't ever assume it is. In many cases the things you type are recorded even BEFORE you press send/post/publish/next and whatnot. The net isn't secure, it never will be, that should be the only message given anywhere.

thecoalman

11:20 am on Apr 28, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



While it may not be an excuse how many of these sites surveyed utilize https but don't really need it? I have one site if I switched on https the only thing on it would be contact form you might want encrypted.

What would be interesting is to see how many sites fail that gather personal information, especially those gathering financial information.

aspdaddy

12:50 pm on Apr 28, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Nothing new, a bit of marketing for Qualys I suppose. Someone should do a survey on websites that use FTP and Email, two more insecure protocols

jwolthuis

2:20 pm on Apr 28, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I'm glad that I saw this post. I ran the free scanner on my website, and got a "B" grade, because I had forgotten to disable SSL 2.0 on my server, when I switched servers a few months back. The report said that I was one of the 90% vulnerable to the Beast.

I quickly fixed my oversight, and now receive an "A".

Thanks for posting this!

backdraft7

2:47 pm on Apr 28, 2012 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Got an A rating right out of the chute...but BEAST vulnerable. Looks like the fix is a double edged sword.

brokaddr

3:42 am on Apr 29, 2012 (gmt 0)

5+ Year Member



I too had an A, but was still listed as vulnerable.

From my host:
It's an attack that has been documented on some level for about ten years. The fix on that site does not appear to work as advertised, or the scanner is not detecting things properly, as even when applied it does not say the vulnerability is solved.


For more information on the attack, you can read here: [status.helloworldweb.com...]

Tonearm

8:42 am on Apr 30, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



BEAST vulnerable. Looks like the fix is a double edged sword.

Yeah, is anyone implementing it?

bwnbwn

5:08 pm on Apr 30, 2012 (gmt 0)

WebmasterWorld Senior Member bwnbwn is a WebmasterWorld Top Contributor of All Time 5+ Year Member



My scan indicated not vulnerable on the BEAST issue and I am really not sure what I did when I hardened the server to be compliant with my cc processing to stop this threat.

aspdaddy

1:58 pm on May 1, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



From my host:
It's an attack that has been documented on some level for about ten years. The fix on that site does not appear to work as advertised, or the scanner is not detecting things properly, as even when applied it does not say the vulnerability is solved.


Yes its been around since about 1999, andthe fix does not work as advertised on the article.

To fix, SSL needs to be be upgraded to TLS 1.1 or TLS 1.2 (largely unsupported) and then apply MS12-006 if using Windows. But as the client and server need pathching there is no real fix!
 

Featured Threads

Hot Threads This Week

Hot Threads This Month