According to a newsgroup posting, Ninety percent of the Internet’s top 200,000 HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM), a nonprofit organization dedicated to solving Internet security, privacy and reliability problems.
The survey is the first in what will be an on-going project for the recently formed Trustworthy Internet Movement (TIM). The group are expected to eventually “name and shame” websites that do nothing to address the issue, forcing sites to ensure that their security is tight and up-to-date.
The grim figure was generated by SSL Pulse, a website that monitors the effectiveness of the 200,000 most popular websites that use SSL, also known as Transport Layer Security, to protect e-mail and other sensitive data from being snooped on while in transit. The product of a group of SSL experts from Google, Twitter, PayPal,
Although the Internet Engineering Task Force signed off on a fix in early 2010 and major SSL packages have been updated to include it, only 72 percent of the sites examined by SSL Pulse were found to be safe from renegotiation exploits. Of the remainder, 13 percent were classified as “insecure renegotiation,” one percent was classified as offering both secure and insecure renegotiation, and 14 percent offered no renegotiation at all.
This means that a paltry 9.59% of all websites are genuinely secure, a statistic that TIM consider worrying as the “problem needs to be addressed in configuration and that requires awareness, time and knowledge.
On an Internet where packets often pass over open networks that can be passively monitored, SSL is frequently the only protection preventing passwords and other sensitive data from being intercepted by online criminals and state-sponsored spies. Last year, Google warned Gmail users in Iran to change their passwords after someone used fraudulently issued SSL certificates to impersonate the popular e-mail service. The attack, which stemmed from the breach of the now-defunct DigiNotar certificate authority in the Netherlands, was used to snoop on 300,000 Gmail users, mostly in Iran.