SSL Pulse Project Finds Just 10% of SSL Sites Actually Secure 62
Trailrunner7 writes "A new project that was setup to monitor the quality and strength of the SSL implementations on top sites across the Internet found that 75 percent of them are vulnerable to the BEAST SSL attack and that just 10 percent of the sites surveyed should be considered secure. The SSL Pulse project, set up by the Trustworthy Internet Movement, looks at several components of each site's SSL implementation to determine how secure the site actually is. The project looks at how each site is configured, which versions of the TLS and SSL protocols the site supports, whether the site is vulnerable to the BEAST or insecure renegotiation attacks and other factors. The data that the SSL Pulse project has gathered thus far shows that the vast majority of the 200,000 sites the project is surveying need some serious help in fixing their SSL implementations."
JS injection, SSL is the least of your problems (Score:3, Interesting)
If you can inject JS into a secure site, BEAST is the least of your concerns.
This is them trying to gain awarness of an XSS assisted attack.
XSS can be more dangerous than the actual traffic.
They are just checking if servers support backwards complience for older users who would not be able to use SSL othewise.
This is like saying all sites that have custom rules to make older IE play nice are insecure.
No SNI, thats very truth worthy of a study (Score:5, Interesting)
So I tried my SNI enabled domain, which redirects to a dummy domain if you don't support SNI.
And https://www.ssllabs.com/ssltest [ssllabs.com] doesn't work with the SNI domain, thinking my certificate is invalid.
So a few things:
* It's sponsored by Qualis, I don't see how that's trustworthy. You see that only once you do the actual validation. They're here to make money like any other corporation. Nonprofit stuff? Bitch please.
* It doesn't work with SNI so there's million domains wrongly counted as invalid
* Their cert isn't even an EV cert
Security Now 321: The Beauty Of B.E.A.S.T. (Score:5, Interesting)
Re:Happy Friday from the Golden Girls! (Score:5, Interesting)
Agreed.
Can we get /. to prevent the first, say 5, post replies from AC?
Let the first 5 or so posts be from registered users only. AC cannot reply to the OP until 5 or so replies to OP by registered users have been made.
5 can be tweaked...to an optimized value 3-5 i'd say.
Maybe this will stop the silly 1st post...from AC.....then again..maybe now we will egt
6th Post crap from ACs...but still better than reading a crappy 1st post.