Many Websites Wide Open to Attack as a Result of Improper SSL Implementations
Modernizing Authentication — What It Takes to Transform Secure Access
Security researchers are buzzing about the flaws in the Secure Sockets Layer system and the fact that a significant portion of the Internet is vulnerable to attack. At the recent Black Hat security conference in Las Vegas, there were several reports and panels addressing various issues.
Based on the PKI (public key infrastructure), the SSL protocol has grown "organically" to become nearly ubiquitous within the world's largest organizations to keep Internet communications secure, Jeff Hudson, CEO of Venafi, told eWEEK.
However, less than a fifth of Websites claiming to have SSL deployed correctly redirect traffic, according to a report released by Qualys at Black Hat. Of the nearly 250,000 sites with SSL turned on that were surveyed, only 51,000 were properly redirecting to SSL for authentication, according to the report from the Qualys community project, SSL Labs. The remaining 80 percent of the sites may or may not redirect to SSL, making them vulnerable to a man-in-the middle attack from Firesheep and other tools.
Overall, there has not been a lot of improvement worldwide in how SSL has been deployed over the past few years, Philippe Courtot, chairman and CEO of Qualys, told eWEEK. Organizations are just rolling out SSL servers and not taking the time to ensure the servers are properly configured, the report found.
Courtot declined to specify any of the offenders, noting that the problem was widespread.
There were a number of configuration flaws, including the use of insecure cookies and mixing unsecure traffic with secured traffic on the same page. Websites using SSL have to redirect to SSL immediately, instead of encrypting only a portion of the page, as that opens the user to session hijacking attacks, Courtot said.
When users see a padlock on the Web browser or some other form of visual notification that the site has SSL deployed, they expect their log-in credentials are protected, Courtot said. However, it turns out many organizations made a conscious choice not to use SSL in authentication despite rolling out the security protocol, researchers found. Nearly 70 percent of the surveyed servers handled the log-in process in plain text, and a little over half the servers were transmitting passwords as plain text, making it easy for a malicious attacker to intercept the sensitive information, according to the report.
This is actually a significant problem in the mobile space, according to Julien Sobrier, a senior security researcher at Zscaler. There is no "UI element equivalent to the lock" on mobile browsers and no visibility into the URLs to tell if the traffic is going over HTTP and HTTPS, Sobrier wrote Aug. 11 on the Zscaler Research Labs blog.
Citigroup learned the hard way that just having SSL on a Website doesn't keep data secure, as attackers exploited a weakness in the SSL connection on the financial giant's credit card Website and the Web browser to intercept sensitive information, Rainer Enders, CTO of NCP Engineering, told eWEEK.