[LINK] The 'Trustworthy Internet Movement'

Thu Apr 26 01:25:59 AEST 2012

Haha, www.anu.edu.au scores an A (84), and www.optus.com.au also scores 
an A (88), but www.telstra.com.au scores an F (0). The test takes 2 min:

SSL Server Test

This free online service performs a deep analysis of the configuration of 
any SSL web server on the public Internet

 https://www.ssllabs.com/ssltest/index.html

Title:SSL Pulse
Created by: SSL Labs
Date Published: April 25, 2012

Details:

SSL Pulse is a continuous and global dashboard for monitoring the quality 
of SSL support across the top one million web sites. SSL Pulse is powered 
by the assessment technology of SSL Labs, which is focused on auditing 
the SSL ecosystem, raising awareness, and providing tools & documentation 
to web site owners so they can improve their SSL implementations. 

Methodology 

The goal of the SSL Labs surveys is to measure the effective security of 
SSL. After some experimentation with an assessment of substantially all 
public SSL sites (about 1.5 million of them), we settled on a smaller 
list of about 200,000 SSL-enabled web sites, based on Alexa’s list of 
most popular sites in the world. Working with a smaller list is more 
manageable and allows us to conduct the surveys more often. It also 
allows us to conduct more thorough analysis to look for application-layer 
issues that may subvert SSL security. In addition, focusing on popular 
sites – we believe – gives us more relevant results and also excludes 
abandoned sites.

Having worked with several data sets, each drawing from a different list 
of sites, we have come to understand that what we are presenting in our 
surveys is not a measurement, but a reasonable approximation of the state 
of SSL. More important than the results from any one round of tests is 
how the measurements change over time. The adoption of a single selection 
methodology and a switch to monthly testing should give us an indicator 
of where we’re heading, which is what we believe matters. 
--

The above is a link off https://www.trustworthyinternet.org/  (and)
                        https://www.trustworthyinternet.org/ssl-pulse/)

BBC News item:

"Insecure websites to be named and shamed after checks. Companies who 
have done a bad job will be encouraged to improve and upgrade their 
implementations so it gets safer to use those sites." 

By Mark Ward. Technology correspondent, BBC News, 25 April 2012 
http://www.bbc.com/news/technology-17827919

Companies that do not do enough to keep their websites secure are to be 
named and shamed to help improve security.

The list of good and bad sites will be published regularly by the non-
profit Trustworthy Internet Movement (TIM).

A survey carried out to launch the group found that more than 52% of 
sites tested were using versions of security protocols known to be 
compromised. 

The group will test websites to see how well they have implemented basic 
security software. 

Security fundamentals

The group has been set up by security experts and entrepreneurs 
frustrated by the slow pace of improvements in online safety.

"We want to stimulate some initiatives and get something done," said 
TIM's founder Philippe Courtot, serial entrepreneur and chief executive 
of security firm Qualys. He has bankrolled the group with his own money.

TIM has initially focused on a widely used technology known as the Secure 
Sockets Layer (SSL). 

Experts recruited to help with the initiative include SSL's inventor Dr 
Taher Elgamal; "white hat" hacker Moxie Marlinspike who has written 
extensively about attacking the protocol; and Michael Barrett, chief 
security officer at Paypal. 

Many websites use SSL to encrypt communications between them and their 
users. It is used to protect credit card numbers and other valuable data 
as it travels across the web.

"SSL is one of the fundamental parts of the internet," said Mr Courtot. 

"It's what makes it trustworthy and right now it's not as secure as you 
think."

Compromised certificates

TIM plans a two-pronged attack on SSL. 

The first part would be to run automated tools against websites to test 
how well they had implemented SSL, said Mr Courtot.

"We'll be making it public," he added. "Everyone is now going to be able 
to see who has a good grade and who has a bad grade."

Early tests suggest that about 52% of sites checked ran a version of SSL 
known to be compromised.

Companies who have done a bad job will be encouraged to improve and 
upgrade their implementations so it gets safer to use those sites. 

The second part of the initiative concerns the running of the bodies, 
known as certificate authorities, which guarantee that a website is what 
it claims to be.

TIM said it would work with governments, industry bodies and companies to 
check that CAs are well run and had not been compromised.

"It's a much more complex problem," said Mr Courtot.

In 2011, two certificate authorities, DigiNotar and GlobalSign were found 
to have been compromised. In some cases this meant attackers eavesdropped 
on what should have been a secure communications channel. 

Steve Durbin, global vice president of the Information Security Forum 
which represents security specialists working in large corporations, said 
many of its members took responsibility for making sure sites were secure.

"You cannot just say 'buyer beware'," he said. 

"That's not good enough anymore. They have a real a duty of care."

He said corporations were also increasingly conscious of their reputation 
for providing safe and secure services to customers. 

Data breaches, hack attacks and poor security were all likely to hit 
share prices and could mean they lose customers, he noted.
--

Cheers,
Stephen