Most SSL Sites Poorly ConfiguredJuly 31, 2010 – 8:16 AM
The good news about SSL-based websites: Most are running strong encryption. The bad news: More than 60 percent aren’t properly configured.
Researcher Ivan Ristic, who is director of engineering, Web application firewall, and SSL at Qualys, revealed findings here yesterday from a study he conducted of some 120 million registered domain names. Ristic found that 20 million of them support SSL, but only 720,000 of these have potentially valid SSL certificates. “That’s a very small percentage, but it doesn’t really mean anything apart from that a fraction of sites use SSL, which we’ve known,” Ristic say.
Of the more telling findings was that of all the SSL sites, half use SSLv2, an older version of SSL, which is known to be insecure. Only 38 percent of all SSL sites are actually configured well, Ristic says, and 32 percent contain a previously exposed renegotiation vulnerability in the protocol.
Meanwhile, researchers Robert “RSnake” Hansen and Josh Sokol here yesterday detailed some 24 exploitation techniques possible against HTTPS/SSL for browsers that leverage man-in-the-middle (MITM) attacks. Among them: cookie poisoning and injecting malicious content into browser tabs. The researchers warned that HTTPS can’t guarantee confidentiality and integrity in the browser.