|90% of popular SSL sites vulnerable to exploits, researchers find |
By Dan Goodin | Published April 26, 2012 3:15 PM
Less than 10 percent of the most popular websites offering Secure Socket Layer protection are hardened against known attacks that could allow hackers to decrypt or tamper with encrypted traffic, researchers said Thursday.
The grim figure was generated by SSL Pulse, a website that monitors the effectiveness of the 200,000 most popular websites that use SSL, also known as Transport Layer Security, to protect e-mail and other sensitive data from being snooped on while in transit. The product of a group of SSL experts from Google, Twitter, PayPal, Qualys and other firms, SSL Pulse systematically scans all subdomains of the top-ranked sites as measured by Alexa for pages that use the protocol to prevent man-in-the-middle eavesdropping. By examining the top 200,000 SSL-enabled sites, the researchers aim to give a snapshot of the overall health of SSL protection, which is offered by an estimated 1.5 million sites in total.
Out of the 200,000 sites examined, only 19,024 were configured to withstand an attack discovered in 2009 that allows attackers to inject data into encrypted traffic passing between two endpoints. The vulnerability resides in the SSL protocol itself and can be exploited by renegotiating the protected session, something that often happens to generate a new cryptographic key. Just a few weeks after the bug was discovered, a Turkish grad student showed how it allowed him to steal Twitter login credentials that passed through encrypted data streams.
Although the Internet Engineering Task Force signed off on a fix in early 2010 and major SSL packages have been updated to include it, only 72 percent of the sites examined by SSL Pulse were found to be safe from renegotiation exploits. Of the remainder, 13 percent were classified as "insecure renegotiation," one percent was classified as offering both secure and insecure renegotiation, and 14 percent offered no renegotiation at all.
"On the application layer, you can make mistakes and programming mistakes that completely subvert SSL," Qualys Director of Engineering Ivan Ristic told Ars.
What's more, just 25 percent of the sites are able to withstand an experimental attack unveiled last year that allows attackers to silently decrypt data that is passing between a webserver and an end-user browser. BEAST, short for browser exploit against SSL/TLS, isn't easily eradicated, because patches would make websites incompatible for millions of people using older browsers. But websites can block attacks by using what's known as the RC4 cipher, because it doesn't use an encryption mode known as cipher block chaining, in which information from a previously encrypted block of data is used to encode the next block.
"Many people still believe that the BEAST attack is not practical," Ristic said. "I disagree with that because attacks only get better and never worse. If somebody is motivated enough, that someone will make the attack work."
Ristic said BEAST attacks would most likely be carried out in espionage campaigns sponsored by wealthy nation states.
He also said that SSL Pulse uncovered 19 private keys generated with 512-bit encryption, making them susceptible to brute forcing attacks that allow man-in-the-middle hackers to decrypt the protected traffic. The service also found 9 keys that were generated on systems running now-patched versions of Debian Linux that were so predictable attackers could guess them in a matter of hours.
On an Internet where packets often pass over open networks that can be passively monitored, SSL is frequently the only protection preventing passwords and other sensitive data from being intercepted by online criminals and state-sponsored spies. Last year, Google warned Gmail users in Iran to change their passwords after someone used fraudulently issued SSL certificates to impersonate the popular e-mail service. The attack, which stemmed from the breach of the now-defunct DigiNotar certificate authority in the Netherlands, was used to snoop on 300,000 Gmail users, mostly in Iran.
SSL Pulse is the brainchild of the Trustworthy Internet Movement, a recently formed group that has chosen SSL as its first project. Members include Ristic; Google Software Engineer Adam Langley; SSL researcher Moxie Marlinspike, whose company was recently acquired by Twitter; Michael Barrett, who is chief information security officer at PayPal; Taher Elgamal, founder and chief identity officer at IdentityMind and a co-creator of the SSL protocol; and Ryan Hurst, chief technology officer at GMO GlobalSign.