Tool highlights “secure site” shortcomings

A non-profit group has unveiled a tool to check how secure sites using the Secure Sockets Layer protocol really are. But reports that it plans to name and shame “offenders” appear to be something of a stretch.

The group is the Trustworthy Internet Movement which gives itself the catchy description of “a non-profit, vendor-neutral organization leveraging the power of the global security community to advance industry-wide technology innovations and initiatives for actionable change.”

It’s just unveiled SSL Pulse, which is an ongoing survey of 200,000 websites that use SSL to encrypt data passing back and forth between the user and the site. Each site is ranked for a variety of technical measures about how SSL is implemented and results will be continually updated.

Each site surveyed is given both a percentage score and a letter grade. At the time of writing, around 50 percent of sites have been given an A grade. However, only just under 10 percent of sites are declared completely secure.

The two main reasons for sites falling short are insecure renegotiation and vulnerability to the BEAST attack. The former, affecting 13 percent of sites, means that a flaw in SSL discovered in 2009 hasn’t been patched on the site; this makes it easier to carry out a “man in the middle” attack. The latter is a longstanding vulnerability that means a hacker could access a user’s session cookies; 75 percent of sites are still at risk of this because they use outdated protocols.

The group isn’t publishing tables of the most and least secure sites as such. However, people who use the tool to check a specific site can see listings of the results of the last 10 checks, along with the ten highest and lowest scoring sites of “recent” tests.