HTTPS Websites Still Vulnerable

By: Absolute Team | 5/4/2012

The Trustworthy Internet Movement (TIM) released a report this month on the SSL Implementation of the Most Popular Web Sites. This SSL Pulse Report shows that 90% of the 198,216 HTTPS-enabled websites surveyed are vulnerable to SSL attacks.

Only 10% of websites surveyed had effective SSL security. Effective SSL security was defined as well configured with an A grade and as not vulnerable to the two known attacks against SSL - Insecure Renegotiation and BEAST attack. Many sites lacked complete certificate chains, had weak cipher strength or were otherwise vulnerable. For example, it's quite troubling to hear that 75% of sites are vulnerable to the BEAST attack which has had a resolution available since 2006.

For sites that have a large number of users that can be exploited in some way, or have high value sites (banks), the risks from these vulnerabilities can be quite great.

The SSL Pulse will be continuously updated to show the state of the SSL ecosystem. TIM has released a PDF of the SSL / TLS Deployment Best Practices to help administrators and programmers deploy a secure website or application.

Financial Services