Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • Networking

    Improper SSL Implementations Leave Websites Wide Open to Attack

    By
    Fahmida Y. Rashid
    -
    August 17, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Security researchers are buzzing about the flaws in the Secure Sockets Layer system and the fact that a significant portion of the Internet is vulnerable to attack. At the recent Black Hat security conference in Las Vegas, there were several reports and panels addressing various issues.

      Based on the PKI (public key infrastructure), the SSL protocol has grown “organically” to become nearly ubiquitous within the world’s largest organizations to keep Internet communications secure, Jeff Hudson, CEO of Venafi, told eWEEK.

      However, less than a fifth of Websites claiming to have SSL deployed correctly redirect traffic, according to a report released by Qualys at Black Hat. Of the nearly 250,000 sites with SSL turned on that were surveyed, only 51,000 were properly redirecting to SSL for authentication, according to the report from the Qualys community project, SSL Labs. The remaining 80 percent of the sites may or may not redirect to SSL, making them vulnerable to a man-in-the middle attack from Firesheep and other tools.

      Overall, there has not been a lot of improvement worldwide in how SSL has been deployed over the past few years, Philippe Courtot, chairman and CEO of Qualys, told eWEEK. Organizations are just rolling out SSL servers and not taking the time to ensure the servers are properly configured, the report found.

      Courtot declined to specify any of the offenders, noting that the problem was widespread.

      There were a number of configuration flaws, including the use of insecure cookies and mixing unsecure traffic with secured traffic on the same page. Websites using SSL have to redirect to SSL immediately, instead of encrypting only a portion of the page, as that opens the user to session hijacking attacks, Courtot said.

      When users see a padlock on the Web browser or some other form of visual notification that the site has SSL deployed, they expect their log-in credentials are protected, Courtot said. However, it turns out many organizations made a conscious choice not to use SSL in authentication despite rolling out the security protocol, researchers found. Nearly 70 percent of the surveyed servers handled the log-in process in plain text, and a little over half the servers were transmitting passwords as plain text, making it easy for a malicious attacker to intercept the sensitive information, according to the report.

      This is actually a significant problem in the mobile space, according to Julien Sobrier, a senior security researcher at Zscaler. There is no “UI element equivalent to the lock” on mobile browsers and no visibility into the URLs to tell if the traffic is going over HTTP and HTTPS, Sobrier wrote Aug. 11 on theZscaler Research Labs blog.

      Citigroup learned the hard way that just having SSL on a Website doesn’t keep data secure, as attackers exploited a weakness in the SSL connection on the financial giant’s credit card Website and the Web browser to intercept sensitive information, Rainer Enders, CTO of NCP Engineering, told eWEEK.

      While some companies, such as Google and Twitter, have taken steps to protect users by implementing HTTPS, all Websites where users log in should be encrypting traffic, as well as requiring HTTPS for all requests sent with a cookie, Sobrier said.

      Qualys looked at how sites secured cookies and found that only six percent had properly configured session cookies, the report found. Even if the Websites are 100 percent encrypted, if the developer doesn’t set a secure flag on the session cookies from within the application, a malicious third-party can sniff the contents of that cookie. This technique is very commonly used to force the browser to display session values stored on the insecure cookie.

      Authenticity is important in the SSL system because it ensures that users are talking to the entity they intended to and that no one is listening, Chester Wisniewski, senior security advisor at Sophos, wrote on theNaked Security blog. The way the current system is set up, every major government in the world and many minor ones have the ability to sign any certificate they wish, Wisniewski said, speculating that the Department of Homeland Security could probably get a certificate claiming to be Google.

      Security researcherMoxie Marlinspike presented an alternative system that bypasses certificate authorities and relies on a series of trusted notaries selected by the user, as opposed to relying on the 600 or so certificate authorities accepted by major Web browsers.

      “CAs can be compromised and that major damage can result from related man-in-the-middle attacks,” Hudson said, adding that Marlinspike’s presentation should be a “wake-up call for better security and management of PKI and SSL.”

      NCP Engineering also released a white paper at Black Hat discussing “endemic vulnerabilities” in SSL, and by extension, SSL VPNs, which organizations often use to secure remote connections to the corporate severs. Enders said organizations should not just rely on SSL alone, but should layer it with IPSec to cover security weaknesses present in both technologies.

      Qualys researchers also looked at how many sites were using HTTP Strict Transport Security, which defends against cookie-forcing attacks and Extended Validation SSL certificates in conjunction with standard SSL. The numbers were disheartening, as only 80 sites used HSTS and nine used EV SSL, Courtot said.

      Fahmida Y. Rashid

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×