SSL Pulse Project Finds Just 10% of SSL Sites Actually Secure

Trailrunner7 writes "A new project that was setup to monitor the quality and strength of the SSL implementations on top sites across the Internet found that 75 percent of them are vulnerable to the BEAST SSL attack and that just 10 percent of the sites surveyed should be considered secure. The SSL Pulse project, set up by the Trustworthy Internet Movement, looks at several components of each site's SSL implementation to determine how secure the site actually is. The project looks at how each site is configured, which versions of the TLS and SSL protocols the site supports, whether the site is vulnerable to the BEAST or insecure renegotiation attacks and other factors. The data that the SSL Pulse project has gathered thus far shows that the vast majority of the 200,000 sites the project is surveying need some serious help in fixing their SSL implementations."

SSL can be kinda like a weight lifting belt..

[rastoboy29]

..giving a false sense of security.

For example, I've personally discovered hundreds of servers with compromised PHP scripts that worked merrily along via HTTPS, looking very secure.  Unfortunately, attackers can attack a poorly written script over HTTPS exactly as easily as via HTTP, compromise it, and steal information (or whatever) just fine.

SSL just encrypts the channel.

[khasim]

SSL just encrypts the channel.
SSL does not fix anything else.
How could it?

Crap code on a website is still crap code on a website whether you have an encrypted channel or clear text channel.

Re:SSL just encrypts the channel.

[Lennie]

Which is perfect, it prevents a Network Intrusion Detection System from preventing the attack. ;-)