Secure Sockets Layer/Transport Layer Security (SSL/TLS) is widely used to secure data in motion on the Internet, but it isn’t always configured properly or patched for the latest security updates. Aiming to help improve the state of SSL/TLS deployments, Qualys announced on March 17 that it is expanding its SSL Labs testing service to enable API access for bulk scanning of multiple server hosts. Qualys is also providing an open-source tool to help automate the process for scanning SSL/TLS.
The SSL Labs service to date has been a Web interface that enables anyone to simply input a Web address and then check to see the status of their SSL/TLS server configuration.
“SSL Labs is a service we have provided for several years, and now providing APIs is the next step,” Ivan Ristic, director of engineering at Qualys, told eWEEK. “The problem that our users have had is that some of them have hundreds of servers, and they want to check their servers more regularly.”
With the new API, users can check the status of server SSL/TLS for free, Ristic said. In addition to the API, Qualys has built an open-source tool called ssllabs-scan that incorporates the API into a command-line tool. Ristic said that with the ssllabs-scan, an organization can set up a regular process for checking SSL/TLS security that could potentially alert an organization if security is degraded.
Qualys also has an SSL/TLS site called SSL Pulse, which provides a regular report on SSL/TLS configuration and security statistics. Ristic emphasized that data from the SSL Labs API scanning is kept private and does not get integrated with the SSL Pulse data. The data for SSL Pulse comes from regular scanning of SSL/TLS-enabled sites on the Alexa Top Sites list, Ristic said.
“At the moment, we have 150,000 Websites on the SSL Pulse list, which is intentionally small so that it’s easy to handle, while still being representative of what the popular sites are doing,” Ristic said.
One of the key results that SSL Pulse has shown month after month since the site went live in 2012 is that the many SSL/TLS-enabled websites are, in fact, not properly secured. The most recent data on the site shows that only 18.2 percent of SSL/TLS sites scanned are, in fact, secure.
Ristic said that he’s not surprised that most SSL/TLS deployments are not secure since the reality is that new SSL/TLS security issues are discovered almost every month. A case in point is the encryption flaw referred to as Factoring attack on RSA-EXPORT Keys, or FREAK, which was disclosed at the beginning of March.
The SSL Pulse data also reveals that 81.5 percent of the sites scanned are still vulnerable to the BEAST (Browser Exploit Against SSL/TLS) attack that was first disclosed in 2011. Ristic noted that even though BEAST is a risk, it’s not the subject of mass exploitation.
“There are other things that are much easier to exploit for attackers,” Ristic said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.