Most SSL Sites Poorly Configured

A variety of news stories issuing from the Black Hat security conference this week in Las Vegas describe presentations in which researchers highlight holes in web browser security, including widespread problems with the implementation of SSL Certificates.

According to a report appearing Thursday on the Forbes blogs, security researchers Robert Hansen and Josh Sokol presented a list of 24 reasons, Wednesday, why users shouldn’t trust their browser’s padlock security indicator, the image typically associated with sites secured by SSL certificates.

The presentation reportedly divided threats into mostly low- and medium-level threats, with two that Hansen considered critical. All of those threats, said the presenters, require the hacker to deploy a man-in-the-middle program on the user’s network.

The first of the critical flaws was a “cookie-passing” trick, in which the hacker visits a site before a user, receiving a valid cookie that he then passes to the user. When the legitimate user visits the site, the hacker’s cookie then becomes associated with the user, enabling the hacker to access to the user’s account.

The other critical issue was a technique through which a hacker can use an insecure tab in a user’s browser to send a request to install a plug-in once the user has opened a secure tab, making the request appear to come from the secure site.

All the slides from Hansen and Sokul’s presentation are embedded in the article.

SSL security and its vulnerabilities are a frequent topic at the annual Black Hat conference – which stands to reason, as it is one of the main security functions associated with ecommerce. Last year, Dan Kaminsky and Moxie Marlinspike presented vulnerabilities they had found in the issuing process for SSL certificates at the conference.

In a separate presentation at this year’s Black Hat, security researcher Ivan Ristic presented the results of a study that suggests close to 97 percent of SSL certificates are incorrectly configured, according to a report in eSecurity Planet.

Presenting the results of a study that examined 867,000 SSL certificates, Ristic said that nearly 97 percent of SSL certificates do not have the correct name on them, and don’t match the domain to which they are associated.

Of the 3 percent that matched, only one third were correctly configured – which meant, he said 2,048-bit or better encryption and the disabling of support for the SSLv2 protocol.

According to the report, Ristic speculates that the reason for the scarcity of properly-configured certificates is a lack of widespread documentation and education for the technology.

The Black Hat conference took place in Las Vegas this week, with training from July 24 to July 27, and briefings running from July 28 to July 29.

There are wide range of SSL certificates available in industry, but before purchase or renew you should look out for the best support you get from the various SSL certificates seller and reseller, you can choose RapidSSL, GeoTrust, Thawte & Verisign to secure your eCommerce website with no hassle.

Origional Source at


Post a Comment

Related Posts Plugin for WordPress, Blogger...


Twitter Delicious Facebook Digg Stumbleupon Favorites