90 percent of 'secure' HTTPS sites are vulnerable, study finds

One of the basic security checks when conducting an online transaction to make sure the front of the URL reads “HTTPS,” which indicates that the site uses Secure Sockets Layer encryption. But up to 90 percent of those sites, including at least several at U.S. government agencies, are vulnerable to attack, according to a new survey.

The survey by Trustworthy Internet Movement, a nonprofit initiative formed in February to help address Internet security issues, also found that 75 percent of the most popular sites using SSL are vulnerable to a Browser Exploit Against SSL/TLS (BEAST) attack and 40 percent support weak ciphers.

Less than 1 percent (0.85 percent) of the sites surveyed support HTTP Strict Transport Security, the state-of-the-art configuration for SSL, the report said.


Related coverage:

SSL flaw could allow hijacking of 'secure' Web sessions

Microsoft issues warning over SSL flaw


The survey includes a section for users to test the security of their own sites. In a random sampling of federal government agencies, some scored well for their HTTPS site security — www.cia.gov, for example — while others fared poorly. The National Geospatial Intelligence Agency’s secure site — www1.nga.mil – scored a D. The Commerce Department’s secure time and attendance website scored an A overall but is still vulnerable to a BEAST attack.

“While it is possible today to deploy SSL and to deploy it well, the process is difficult: the default settings are wrong, the documentation is lacking, and the diagnostic tools are inadequate,” said Ivan Ristic, director of engineering at security application firm Qualys and creator of research project SSL Labs, in his blog entry on the subject. Sites were tested for vulnerabilities using assessment technology from SSL Labs.

“The very high number of sites vulnerable to the BEAST attack is worrying, because this problem needs to be addressed in configuration, and that requires awareness, time and knowledge,” Ristic wrote. “Plus, freshly installed systems are equally likely to be vulnerable because of the insecure defaults.”

BEAST can be used to decrypt authentication tokens and cookies from HTTPS requests, giving an attacker data exchanged between a Web server and browser. It affects Transport Security Layer 1.0 but not later versions, such as TLS 1.1 and 1.2, which fixed BEAST vulnerabilities.

However, most Web servers do not support TLS Version 1.1 or TLS Version 1.2, reported Erik Kangas, president of Web security firm LuxSci, in a blog post. “Even if your browser supports it, your target secure site probably does not,” he said. That includes sites such as Bank of America and Gmail.

Among browsers, only Internet Explorer and Opera support TLS Version 1.1 or higher. According to Opera, only 0.25 percent of Web servers support TLS Version 1.1 or better.

"SSL promises security, but if not managed properly it gives users a false sense of security," Philippe Courtot, founder of Trustworthy Internet Movement and chairman and CEO of Qualys at Infosecurity Europe, said in a Tech World story. Organizations with poor SSL support are "lucky that they haven't already been compromised.”

TIM announced the group’s first project, SSL Pulse, at the same time it released its survey results. SSL Pulse will monitor the quality of SSL support across the top 1 million websites using assessment technology from SSL Labs.

“The purpose of SSL Pulse is to bring visibility to SSL implementation issues on the Web, and while businesses are starting to fix these issues we can keep track of progress made towards making SSL more robust and widely adopted on the Internet,” Ristic said.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above