Recently the most popular websites using secure online transactions (Online stores, banks, communication sites, etc.) were tested for security and most did not fare very well.
Of the approximately 200,000 HTTPS SSL encrypted websites tested, only about 10% are properly secured according to the Trustworthy Internet Movement (TIM).
Also, about 75% of the sites are still vulnerable to a BEAST attack:
The test used checks for several key factors used in SSL encryption including:
- Cipher Strength
- Key Exchange
- Protocol Support
- Certificate Information
The woes of SSL communication have been known for several years now. Years ago, security expert Moxie Marlinspike has shown that SSL communications can be intercepted using a man-in-the-middle attack and the encryption can be stripped away so the unencrypted information read using a program called SSLstrip.
Also, one of the tests used by the TIM checked SSL sites for a vulnerability to the Browser Exploit Against SSL/TLS (BEAST) attack. The BEAST attack exposes a vulnerability that was discovered in SSL in 2004.
A video of BEAST in operation along with additional information on the attack tool can be found on one of the developer’s websites.
TIM has created a taskforce of world renown security experts to try to tackle the SSL issue:
“The Trustworthy Internet Movement (TIM) is convening a task force that includes Taher Elgamal, one of the creators of the SSL protocol; Moxie Marlinspike, creator of Convergence; Ivan Ristic, director of engineering at Qualys; and other experts from Google, PayPal and GlobalSign. Ristic founded SSL Labs, a research project to measure and track the effective security of SSL on the internet.”
Changes definitely need to be made to the secure online transaction system. Even so, several of the SSL issues have already been addressed, and sadly it seems that the appropriate measures to properly secure SSL have just not been taken.
Cross-posted from Cyber Arms