Ninety Percent of HTTPS Websites Insecure

Tuesday, May 08, 2012

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

Recently the most popular websites using secure online transactions (Online stores, banks, communication sites, etc.) were tested for security and most did not fare very well.

Of the approximately 200,000 HTTPS SSL encrypted websites tested, only about 10% are properly secured according to the Trustworthy Internet Movement (TIM).

Also, about 75% of the sites are still vulnerable to a BEAST attack:

The test used checks for several key factors used in SSL encryption including:

  • Cipher Strength
  • Key Exchange
  • Protocol Support
  • Certificate Information

The woes of SSL communication have been known for several years now. Years ago, security expert Moxie Marlinspike has shown that SSL communications can be intercepted using a man-in-the-middle attack and the encryption can be stripped away so the unencrypted information read using a program called SSLstrip.

Also, one of the tests used by the TIM checked SSL sites for a vulnerability to the Browser Exploit Against SSL/TLS (BEAST) attack. The BEAST attack exposes a vulnerability that was discovered in SSL in 2004.

The attack is a combination of Javascript and network sniffer that decrypts session cookies which can then be used to hijack and take over the user’s logged in session.

A video of BEAST in operation along with additional information on the attack tool can be found on one of the developer’s websites.

TIM has created a taskforce of world renown security experts to try to tackle the SSL issue:

“The Trustworthy Internet Movement (TIM) is convening a task force that includes Taher Elgamal, one of the creators of the SSL protocol; Moxie Marlinspike, creator of Convergence; Ivan Ristic, director of engineering at Qualys; and other experts from Google, PayPal and GlobalSign. Ristic founded SSL Labs, a research project to measure and track the effective security of SSL on the internet.”

Changes definitely need to be made to the secure online transaction system. Even so, several of the SSL issues have already been addressed, and sadly it seems that the appropriate measures to properly secure SSL have just not been taken.

Cross-posted from Cyber Arms

Possibly Related Articles:
16522
General
Information Security
Encryption SSL Exploits HTTPS Protocols Website Security Sniffer BEAST Trustworthy Internet Movement
Post Rating I Like this!
94c7ac665bbf77879483b04272744424
Marc Quibell So if you load their Beast program onto your machine...they can steal your current cookie. What's the difference between this and just loading a keylogger onto your machine? Wouldn't a keylogger aslo be considered an SSL vulnerability in this context? This sounded like a real man-in-the-middle attack that didn't rely on the client being pwned first...Or am I missing something?
1336481731
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Excellent questions Marc, I think the "BEAST" attack is more of a "Proof of Concept" that the vulnerability does indeed exist.

It looks like the vulnerability was discovered in 2004, and an updated Transport Layer Security protocol (1.1) was created in 2006 to address it. But at this point, 75% of the sites tested above were not using the improved protocol. And apparently several web browsers still do not support it yet either.

SSLStrip seems much more probable and easier to use for an attacker than BEAST. But the attacker would still have to man-in-the-middle your communication stream for it to work.
1336498218
94c7ac665bbf77879483b04272744424
Marc Quibell I think anything after man-in-the-middle attacks should all be discounted because the biggest challenge (and concern) is actually the man-in-the-middle scenario. No one -should-be-able-to insert themselves between the users and the Internet and intercept your traffic. This is akin to someone tapping your phone line! That would be a HUGE vulnerability in whatever allowed this to happen in the first place. Any vulnerability done after a MITM attack does not count, because EVERYTHING is vulnerable at that point. Http, https, IE, Mozilla, Chrome...This is not a problem with any software, it's an issue with someone who is spying on -all- your internet activity. It's the man-in-the-middle attack that should be addressed. I mean it's easy to set this up in a lab and do a proof of concept, just like it's easy to set up a phone tap, in a lab. But go ahead and do it in the wild, I'd like to see that happen on a wired connection, in a non-targeted, automated method that doesn't involve physical presence.

BTW who needs SSLStrip at that point, any sniffer like T-Shark, that can sniff the SSL handshake and grab the certificate exchange...no problem.

The only issue I have with this whole "everyone is vulnerable" scenario is trying to pin down -exactly what- people are vulnerable to. And if it first involves being pwnd in a major way, then it's not fair to pin it on SSL or websites, when the actual problem is a trojan/virus on a computer. Just trying to sort it all out Dan, thanks for the article.
1336537539
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Very good points Mark. Not sure if you have seen it, but a few years back there was a video of Moxie (creator of SSL strip) discussing an experiment he did with running SSLStrip off of a Tor exit node.

SSLStrip was able to recover usernames, passwords and credit card numbers from Tor users that used his exit node.

Granted, he used a man-in-the-middle attack, but he was still able to fool SSL into thinking that there was a secure encrypted connection from the host to the end user client. And the information was recovered in clear text.

Heck a couple of years ago, China diverted a chunk of the world's internet traffic (including US Government data) through their routers.

http://cyberarms.wordpress.com/2010/11/16/us-government-web-traffic-diverted-through-chinese-computers/

I completely agree with you about getting down to the root issues. I feel also that Man-in-the-middle attack or not, SSL should be a trusted encrypted channel from point a to point b.

And if issues have been pointed out, and fixes made, why in the world have they not been implemented?

1336570551
94c7ac665bbf77879483b04272744424
Marc Quibell I think that still, the Tor example is another user...interaction requirement if you will..requiring the user taking inadvertent action to redirect their traffic, and not just SSL traffic - all traffic. That means the entire Internet is "insecure"! But we knew that already.

I still don't see how all of this is different from just having a keylogger trojan planted on a users' machine. SSL is secure, it's the end stations, the users who are not. On that note, Tor and other programs like that are seriously risky, ppl are asking for trouble when they use untrusted services, that download...untrusted content. IMHO of course. But in the end, I also agree with your last statement, if TLS 1.2 fixes this, it should be implemented. There are hardly any costs in doing this.
1336579024
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.