Infosec: SSL Hall Of Shame Opens For Business

A nonprofit movement wants to expose those sites that have weak HTTPS connections

Websites using flawed SSL security implementations are to be named and shamed, in a bid to improve security on the internet.

The Trustworthy Internet Movement (TIM), a nonprofit movement announced at the RSA 2012 conference earlier this year, is to run an online index that tracks the progress of how well SSL (the secure sockets layer standard for securing web transactions) is being deployed. Users can go on the SSL Pulse website and use a simple search function to figure out whether a website has a secure SSL function. There is also a list of poor performing sites.

The SSL Pulse project uses data from 200,000 of the world’s most popular sites running HTTPS  protocols. Tests have already shown 50 percent of those websites have well-implemented SSL configuration. But 72.4 percent are still vulnerable to the well-publicised BEAST attack, which exploited a long-known flaw in SSL.

Slay the beast

The BEAST attack takes advantage of a flaw in SSL 3.0, allowing the attacker to grab and decrypt HTTPS cookies on an end user’s browser, effectively hijacking the victim’s session. This could be achieved either through an iframe injection or by loading the BEAST JavaScript into the victim’s browser, but BEAST is known to be especially hard to execute.

BEAST has to be addressed in configuration, which “requires awareness, time, and knowledge”, TIM said. “Plus, freshly installed systems are equally likely to be vulnerable because of the insecure defaults.”

Overall, only 9.59 percent of all sites have adequate SSL implementation, meaning over 179,000 websites have SSL insecurities, according to TIM.

TIM has established a taskforce of security experts, who will review SSL governance issues and develop proposals aimed at fixing both SSL and the certificate authority systems, both of which have been called into question in recent times. In the case of certificate authorities (CAs), a number of them have been compromised in the past year, allowing attackers to spoof websites with fake certificates. One of those CAs, DigiNotar, went bankrupt after it was hacked.

Members of that taskforce include Adam Langley, a Google software engineer, one of the creators of SSL Taher Elgamal, as well as notable security researcher and now Twitter employee Moxie Marlinspike.

TIM was founded by CEO of Qualys, Philippe Courtot, who told TechWeekEurope the movement may seek to offer a form of accreditation so websites can say that their SSL connections are truly secure. However, the nonprofit body will not seek to make money by acting as a consultant, even though Courtot is funding the project from his own pocket.

“This is not for us to make money,” he said. “We need to fix the sub-belly of the internet, which is much more complex than the web application issue. The secure protocol is absolutely vital, there is no reason why we should not fix SSL.”

The brains behind the operation is Ivan Ristic, another Qualys member, who said that whilst vulnerabilities in SSL were very rarely exploited in comparisons to other hacking methods, “it is not OK for things to be broken” and there remained issues with bypassing SSL with specially crafted tools to compromise web applications.

“Twitter accounts get hijacked left and right using tools like Firesheep and SSL bypasses. They just take your account and spam everyone. It is a security problem for Twitter and embarrassing for everyone else,” Ristic told TechWeekEurope.

As for telling companies they have SSL weaknesses before posting the information online, Ristic said the project had faced some criticism, but hackers already have information to that which SSL Pulse makes public. “I’ve had a few bad reactions… being the agent of change is really tough.”

Think you know security? Try our quiz!