SSL/TLS: the most popular sites aren’t so safe

April 30th, 2012 - 09:45 am ET by J. G.

SSL Pulse has taken a look at the SSL security protocol (or TLS) used on close to 200 000 of the most popular web sites in the world. Only 10% of them are considered as properly secured.

The SSL Pulse project has been presented as a dashboard that looks at the implementation of SSL (Secure Socket Layer) on the Web. The tool is especially used to demonstrate that the implementation of this technology often leaves a lot to be desired

Also known as TLS (Transport Layer Security), SSL is a security protocol which encrypts sensitive data when conducting online transactions. This is the corner stone on which Internet security is built, although the way it is deployed can nevertheless compromise security.

With Qualys’ SSL Labs base, SSL Pulse verifies the length of keys and protocol versions that are used by HTTPS sites. They can be SSL 3.0, TLS 1.0 or even TLS 1.1 or 1.2 when possible. While SSL 2.0 is recommended, this version isn’t safe.

SSL Pulse has studied close to 200 000 SSL sites considered as the most popular in the world according to Alexa’s rankings. Close to 50% of these sites scored an A, which means that other sites should improve their SSL configuration.

But even with an A grade, and therefore a good SSL configuration, there are some slight weaknesses in terms of SSL renegotiation support and vulnerabilities to a BEAST attack (see our news). It would appear that the first SSL Pulse analysis estimates that only 10% of all sites are really secure. A monthly update will provide information about how these sites are going with updating their security.

SSL Pulse is an initiative of the Trustworthy Internet Movement (TIM) implemented by security experts and entrepreneurs annoyed at the slow speed at which improvements are made to online security. This is a not-for-profit organization founded by Qualys’ CEO.

The first project implemented by TIM is SSL governance and proposals which aims at providing the internet with better protection. The workgroup consists of experts from PayPal, Google, Qualys, Whisper Systems (recently acquired by Twitter) and GMO GlobalSign (SSL certificates provider), along with one of the creators of the SSL protocol, Taher Elgamal.