SSL Pulse Project Finds Just 10% of SSL Sites Actually Secure

Trailrunner7 writes "A new project that was setup to monitor the quality and strength of the SSL implementations on top sites across the Internet found that 75 percent of them are vulnerable to the BEAST SSL attack and that just 10 percent of the sites surveyed should be considered secure. The SSL Pulse project, set up by the Trustworthy Internet Movement, looks at several components of each site's SSL implementation to determine how secure the site actually is. The project looks at how each site is configured, which versions of the TLS and SSL protocols the site supports, whether the site is vulnerable to the BEAST or insecure renegotiation attacks and other factors. The data that the SSL Pulse project has gathered thus far shows that the vast majority of the 200,000 sites the project is surveying need some serious help in fixing their SSL implementations."

Mixed Content another issue

[gQuigs]

It's even worse when you consider the sites using mixed content, which passed with flying colors on the analysis. To do a proper test you really need to check every page that uses SSL.

More about mixed content: https://www.eff.org/https-everywhere/deploying-https [eff.org]

Fixing Mixed content is not always so difficult, we replaced image links to use "//" instead of "http://", which allows it to use whatever protocol you are already using. This also works if you still might need to fall back to http:/// [http] for whatever archaic reason (or for us development).

Re:Mixed Content another issue

[ivan.ristic]

It's even worse than that. Many sites do not use SSL (e.g., for authentication), even when they have it properly configured. We actually did a study of how application-layer issues affect SSL. You can find more information here: http://blog.ivanristic.com/2011/08/so-what-really-breaks-ssl.html [ivanristic.com]

Re:Really?

[ivan.ristic]

It just looks for sites negotiating vulnerable cipher suites with SSL v3 or TLS v1.0. BEAST workarounds have to be implemented client-side, and IIRC they are in most/all modern browsers. The issue, however, is that there is still a large number of users still using older browser versions, which are still vulnerable.

Protocol-relative URLs

[djtack]

No, he meant "//". http://paulirish.com/2010/the-protocol-relative-url/ [paulirish.com]

Re:ssl 2.0 insecure?

[FrangoAssado]

SSH doesn't use SSL, it has its own transport layer protocol (which is described in RFC 4253).

(To confuse things a bit, OpenSSH does use OpenSSL, but only the cryptography functions. The SSL part of OpenSSL is completely untouched by OpenSSH).

Re:Protocol-relative URLs

[IAmGarethAdams]

I prefer to think of it as a way of reducing redundancy.

The web page doesn't care whether it's being served over HTTP or HTTPS, that's only an issue for the web server. So, the web server configuration can have all the rules and redirections to enforce a particular policy, and the web page will work any time that gets updated, without having to have every link in every page rewritten.