[LINK] The 'Trustworthy Internet Movement'
stephen at melbpc.org.au
stephen at melbpc.org.au
Thu Apr 26 01:25:59 AEST 2012
Haha, www.anu.edu.au scores an A (84), and www.optus.com.au also scores
an A (88), but www.telstra.com.au scores an F (0). The test takes 2 min:
SSL Server Test
This free online service performs a deep analysis of the configuration of
any SSL web server on the public Internet
https://www.ssllabs.com/ssltest/index.html
Title:SSL Pulse
Created by: SSL Labs
Date Published: April 25, 2012
Details:
SSL Pulse is a continuous and global dashboard for monitoring the quality
of SSL support across the top one million web sites. SSL Pulse is powered
by the assessment technology of SSL Labs, which is focused on auditing
the SSL ecosystem, raising awareness, and providing tools & documentation
to web site owners so they can improve their SSL implementations.
Methodology
The goal of the SSL Labs surveys is to measure the effective security of
SSL. After some experimentation with an assessment of substantially all
public SSL sites (about 1.5 million of them), we settled on a smaller
list of about 200,000 SSL-enabled web sites, based on Alexas list of
most popular sites in the world. Working with a smaller list is more
manageable and allows us to conduct the surveys more often. It also
allows us to conduct more thorough analysis to look for application-layer
issues that may subvert SSL security. In addition, focusing on popular
sites we believe gives us more relevant results and also excludes
abandoned sites.
Having worked with several data sets, each drawing from a different list
of sites, we have come to understand that what we are presenting in our
surveys is not a measurement, but a reasonable approximation of the state
of SSL. More important than the results from any one round of tests is
how the measurements change over time. The adoption of a single selection
methodology and a switch to monthly testing should give us an indicator
of where were heading, which is what we believe matters.
--
The above is a link off https://www.trustworthyinternet.org/ (and)
https://www.trustworthyinternet.org/ssl-pulse/)
BBC News item:
"Insecure websites to be named and shamed after checks. Companies who
have done a bad job will be encouraged to improve and upgrade their
implementations so it gets safer to use those sites."
By Mark Ward. Technology correspondent, BBC News, 25 April 2012
http://www.bbc.com/news/technology-17827919
Companies that do not do enough to keep their websites secure are to be
named and shamed to help improve security.
The list of good and bad sites will be published regularly by the non-
profit Trustworthy Internet Movement (TIM).
A survey carried out to launch the group found that more than 52% of
sites tested were using versions of security protocols known to be
compromised.
The group will test websites to see how well they have implemented basic
security software.
Security fundamentals
The group has been set up by security experts and entrepreneurs
frustrated by the slow pace of improvements in online safety.
"We want to stimulate some initiatives and get something done," said
TIM's founder Philippe Courtot, serial entrepreneur and chief executive
of security firm Qualys. He has bankrolled the group with his own money.
TIM has initially focused on a widely used technology known as the Secure
Sockets Layer (SSL).
Experts recruited to help with the initiative include SSL's inventor Dr
Taher Elgamal; "white hat" hacker Moxie Marlinspike who has written
extensively about attacking the protocol; and Michael Barrett, chief
security officer at Paypal.
Many websites use SSL to encrypt communications between them and their
users. It is used to protect credit card numbers and other valuable data
as it travels across the web.
"SSL is one of the fundamental parts of the internet," said Mr Courtot.
"It's what makes it trustworthy and right now it's not as secure as you
think."
Compromised certificates
TIM plans a two-pronged attack on SSL.
The first part would be to run automated tools against websites to test
how well they had implemented SSL, said Mr Courtot.
"We'll be making it public," he added. "Everyone is now going to be able
to see who has a good grade and who has a bad grade."
Early tests suggest that about 52% of sites checked ran a version of SSL
known to be compromised.
Companies who have done a bad job will be encouraged to improve and
upgrade their implementations so it gets safer to use those sites.
The second part of the initiative concerns the running of the bodies,
known as certificate authorities, which guarantee that a website is what
it claims to be.
TIM said it would work with governments, industry bodies and companies to
check that CAs are well run and had not been compromised.
"It's a much more complex problem," said Mr Courtot.
In 2011, two certificate authorities, DigiNotar and GlobalSign were found
to have been compromised. In some cases this meant attackers eavesdropped
on what should have been a secure communications channel.
Steve Durbin, global vice president of the Information Security Forum
which represents security specialists working in large corporations, said
many of its members took responsibility for making sure sites were secure.
"You cannot just say 'buyer beware'," he said.
"That's not good enough anymore. They have a real a duty of care."
He said corporations were also increasingly conscious of their reputation
for providing safe and secure services to customers.
Data breaches, hack attacks and poor security were all likely to hit
share prices and could mean they lose customers, he noted.
--
Cheers,
Stephen
More information about the Link
mailing list