Most of the Internet's top 200,000 HTTPS websites are insecure, group says
Seventy-five percent of HTTPS websites from Alexa's top 1 million are vulnerable to the BEAST SSL attack, Trustworthy Internet Movement says
IDG News Service - Ninety percent of the Internet's top 200,000 HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM), a nonprofit organization dedicated to solving Internet security, privacy and reliability problems.
The report is based on data from a new TIM project called SSL Pulse, which uses automated scanning technology developed by security vendor Qualys, to analyze the strength of HTTPS implementations on websites listed in the top 1 million published by Web analytics firm Alexa.
SSL Pulse checks what protocols are supported by the HTTPS-enabled websites (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, etc.), the key length used for securing communications (512 bits, 1024 bits, 2048 bits, etc.) and the strength of the supported ciphers (256 bits, 128 bits or lower).
An algorithm is used to interpret the scan results and assign a score between 0 and 100 to each HTTPS configuration. The score is then translated into a grade, with A being the highest (over 80 points).
Half of the almost 200,000 websites in Alexa's top 1 million that support HTTPS received an A for the quality of their configurations. This means that they use a combination of modern protocols, strong ciphers and long keys.
Despite this, only 10% of the scanned websites were deemed truly secure. Seventy-five percent -- around 148,000 -- were found to be vulnerable to an attack known as BEAST, which can be used to decrypt authentication tokens and cookies from HTTPS requests.
The BEAST attack was demonstrated by security researchers Juliano Rizzo and Thai Duong at the ekoparty security conference in Buenos Aires, Argentina, in September 2011. It is a practical implementation of an older theoretical attack and affects SSL/TLS block ciphers, like AES or Triple-DES.
The attack was fixed in version 1.1 of the Transport Layer Security (TLS) protocol, but a lot of servers continue to support older and vulnerable protocols, like SSL 3.0, for backward compatibility reasons. Such servers are vulnerable to so-called SSL downgrade attacks in which they can be tricked to use vulnerable versions of SSL/TLS even when the targeted clients support secure versions.
The easiest way to mitigate the BEAST attack on the server side is to prioritize the RC4 cipher for HTTPS connections, said Ivan Ristic, director of engineering at Qualys, via email. RC4 is a stream cipher and is not vulnerable to this attack.
In addition to supporting multiple protocols, many HTTPS-enabled servers also support multiple ciphers in order to ensure compatibility with a variety of clients. A special setting can be used on the server to specify the order in which the ciphers should be used and to prioritize RC4.
- Where You Mitigate Heartbleed Matters Read this article to learn more about why customers must choose the most strategic point in the network at which to deploy their...
- Mitigating Multiple DDoS Attack Vectors It's time to rethink and refine the enterprise security architecture, so organizations can remain agile and resilient against future threats. Download this infographic...
- SIP Migration: Addressing CIOs' Concerns Recent data from IDG Research shows that many IT executives are counting on SIP to help them meet employee efficiency and customer experience...
- City Solved Network Mystery - Saves $30K The City of Jacksonville put their hunch to work and not only solved a mystery, but found a new and innovative use for...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Network Security White Papers | Webcasts