This story covers Web studies done by SSL Labs where they were analyzing how SSL is used over the Web and looking for the ways in which you can break SSL security.

During the initial studies, security guys looked at all public SSL services that are out there, looking primarily at SSL configuration issues. What was discovered actually was that SSL configuration is pretty bad across the board, many sites use old insecure SSL protocols, many sites use weak cipher scripts and generally create secure communication channels that are not as secure as you would want them to be.

However, all those security issues are not of any immediate concern because it’s not a deal to have SSL configuration that is not good enough as to attack such weak configurations is still very expensive. Most attackers don’t do it and most attackers actually go to something else which is easier to do. So the study covers some impedance mismatch issues in SSL.

The SSL protocol, when it was initially designed, was designed to work with any TCP protocol which is great. However, the problem there is that over the years a number of features have been added to HTTP that could break SSL.

So, what was done during the study? Alexa’s top one million list of popular websites was taken, and this list was cross referenced with another list of all SSL services. There arrived the list of about 250 thousand domain names that was examined in depth. A custom crawler has been built which executed the java script and followed all the links there and crawled all these websites looking for various flows.

Researches were looking mostly at sites that mix blank text content with SSL content, because if you have a single page on a website which is insecure, the whole site is not secure. And a man in middle can actually grab that one request, hijack it and hijack the complete session, or the complete user account.

It was discovered that most SSL sites are insecure. All sites have one problem or the other which break SSL completely.

Although researches started the study trying to figure out how many sites are insecure, they ended up figuring out how many sites are secure.  A benchmark was established, in order to be secure, a website has to be 100% SSL, has to use strict transfer security, and it has to have the well configured certificate. It was discovered that only 9 sites fit that description of properly securing the SSL level.

Most other sites were either not redirecting to SSL or they were using session cookies that don’t have a secure flag set, or they were mixing content. And actually more than half of the sites will submit user credentials over plain texts, not protecting them at all. That is it in a nutshell, if you go to ssllabs.com you will find all results there.

If you are interested in more information related to SSL encryption protocol and authenticity as such, privacy-pc.com offers complete transcript of Moxie Marlinspike’s BlackHat talk: SSL and the Future of Authenticity.

Guest post by:

Alex Lamman is a 25 years old software engineer, snowboarder and just a loving father from Germany.  He is Internet security addict and helps to run Privacy PC website. 

–