Sunday, 21 August 2011

Report: Improper SSL implementations are widespread

Improperly configured SSL implementations are rendering SSL "nearly useless" and exposing sensitive information.

Quoting from a report released by Qualys at the recent Black Hat security conference, eWeek noted that "of the nearly 250,000 sites with SSL turned on that were surveyed, only 51,000 were properly redirecting to SSL for authentication." It appears that the remaining sites may or may not redirect to SSL. Those that don't are vulnerable to man-in-the-middle attacks.

The problems identified range from the use of insecure cookies to mixing both SSL-secured and unsecured traffic on the same webpage. This opens such connections up to session hijacking, says Philippe Courtot, chairman and CEO of Qualys. In addition, many organizations have opted to conduct the authentication portion of a log-in in plain text even when SSL is deployed. Users are hence exposed to the risk of stolen credentials even as they believe themselves to be protected.

Since negotiating an SSL connection consumes far more resources than a non-SSL one, my guess is that some businesses are implementing this shortcut as a means of mitigating the effects of denial-of-service attacks.

Security administrators will know that secure enhancements to SSL exist in the form of HTTP Strict Transport Security and Extended Validation SSL certificates. But Qualys found only 80 sites using HST and nine using EV SSL.
For more:
- check out this article at eWeek

No comments:

Post a Comment