Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Ivan Ristic, Qualys: SSL and the Internet – where is it all going wrong?

February 2011 by Ivan Ristic, Director of Engineering

Making sure that a web site is installed, configured and working correctly can be a daunting job for even the most experienced IT security professional. One of the most important security protocols for each and every business operating on the Internet is the Secure Sockets Layer (SSL). SSL is known as “the security backbone of the internet,” as it is a security protocol that protects web sites by enabling encryption of sensitive information during online transactions. While it is a valuable protocol, implementations can have issues, including problems with configurations and certificate validations, which render SSL invalid, jeopardising security.

Research completed throughout the past year studying about 120 million registered domain names reveals the many failings when it comes to SSL security and calls into question how this vital protocol has been overlooked in recent years, By looking at the state of its current use, we can learn about common mistakes, and make recommendations on what security practitioners should do in the future to best utilise this protocol.

Falling at the first hurdle

Whilst SSL is widely regarded and acknowledged as being one of the most fundamental security protocols, our research revealed that only a tiny portion of all sites actually use SSL, and of these only 70 percent of certificates were valid. When you bear in mind how many domain names are out there on the Internet, this provides alarming insight into the basic security principles that people are simply ignoring or not taking in to account. For businesses that operate online, this could cause a major breach of security as research has shown that even if a security warning appears on the screen, more often than not, an end user is likely to ignore it. When accessing an insecure network, the user runs the risk of being exposed to potentially harmful security breaches calling into question the sites’ validity – which could negatively impact the company’s reputation. Our research showed that the majority of the certificates failing validation only did so because they had expired. This is an easily rectified problem, but is one that still manages to slip under the radar of those monitoring the network security.

Self harming – Using what you know to be bad

If you are going to use SSL, it makes sense to implement the most secure version available to ensure maximum safety when online. However, half of all trusted servers analysed are instead supporting the SSLv2 protocol, which has been known for the past 14 years to be highly insecure. This flawed protocol offers little in the way of protecting the network, and it can actually invalidate a company’s PCI compliance. Whilst many modern web browsers now won’t use SSLv2, instead choosing to use the stronger, more robust and recommended, SSLv3 or TLSv1 (Transport Layer Security) protocols, its continued wide usage demonstrates further how neglected SSL security has become to the IT security/network manager.

Configure it out

Making sure that you are using SSL, or even using the correct versions, does not necessarily ensure that you are well protected and fully utilising the protocol. Most sites fail at the configuration stage. The research showed that only 38 percent of SSL sites analysed are configured correctly, which means that the rest—almost two thirds—are potentially insecure. The configuration of SSL is very straight-forward and could take less than an hour to do properly. The pulls into question again how seriously managers take into consideration SSL security and if the proper level of training is being implemented within an organisation.

On the bright side...

It’s not all bad news though. There are web sites with fully deployed and functional SSL protocols in place, using keys of sufficient sizes and ciphers that are strong. This is encouraging news, as it shows that when the protocol is given the right level of attention and is correctly configured, it can provide the high level of security as it was designed to provide.

Learning points

Whilst all sites should have SSL in place, the research has shown that many have not undertaken the correct steps to ensure maximum security of this very basic protocol. We feel that a better understanding and industry awareness is needed to raise the number of correctly used SSL certificates in place. If a company does have poor SSL, this can indicate a company’s weak security stance and could call into question whether they are also poor in other areas of their security procedures. This could also act as an indicator of weakness to hackers and subsequently lead to exposing the web site for other security breaches. SSL is one area where people can really make a difference and do things properly. We as an industry need to take things right back to basics and start fixing this element. It is only then that we can truly move forward and secure the rest of the network.


Qualys is exhibiting at Infosecurity Europe 2011 – the No. 1 industry event in Europe – where information security professionals address the challenges of today whilst preparing for those of tomorrow. Held from 19th – 21st April at Earl’s Court, London, the event provides an unrivalled free education programme, with exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts