Serious security holes found in many SSL encryption certificates
December 16, 2008
A recent report reveals that serious security holes were found in SSL encryption certificates used to protect the Web sites of prominent banks, financial institutions, eCommerce sites, hospitals and even top-secret government spy agencies. This raises very important and critical questions about whether those sites are complying with the strict regulations requiring them to adequately safeguard their online activities.
Among the critical security flaws was a page for partner accounts offered by technology site CNET.com and another application page offered by Gartner, a highly acclaimed company that dispenses advice on a broad variety of potential security issues for companies and various firms around the globe.
Other organizations using defective SSL certificates include the U.S. Computer Emergency Readiness Team, Advanced Micro Devices (AMD) and even Microsoft itself!
Rodney Thayer, a security researcher with Canola & Jones Security Consultants spent a whole day-and-a-half researching weak Web sites using nothing more than a handful of search queries typed in Google and Yahoo. What he found were no less than thirty-one sites maintained by the CIA, the NASA, the World Bank and many Fortune 500 companies (about 8 of them large IT companies) that used seriously flawed security SSL certificates used for authentication.
SSL security "certs" were developed in the mid 1990s as a measure to prevent sites that transact eCommerce or other sensitive business from being spoofed by attackers intent on defrauding site visitors. It uses cryptographic SSL certificates that mathematically validate that the site is operated by a very specific and unique company or legal entity.
Unfortunately, there are very few webmasters that give proper consideration or effort in implementing and closely maintaining security certificates -- a very serious oversight that drastically reduces their effectiveness in combatting online theft of data and greatly increases online fraud.
In numerous cases, the certificates identified by Thayer have expired many months ago. In at least four cases analyzed, the certificates had expired more than a year ago. In other cases, they used an insecure version known as SSL 2, an obsolete algorithm known as 40-bit RC-4 or certificates that are misconfigured. RC-4 predates 1998 and is considered by many as greatly insecure.
Thayer's findings raise critical questions about whether the sites that use them are complying with strict regulations that govern medical providers, federal agencies and eCommerce merchants who accept credit cards used online.
For instance, FIPS (the Federal Information Processing Standards) require federal agencies to use valid SSL certificates for Web pages that accept employee logins. The Health Insurance Portability and Accountability Act and PCI (Payment Card Industry) rules place similar stringent requirements on health care providers and online merchants respectively.
In other cases, dysfunctional online application forms accompany web addresses that webmasters have long abandoned during previous site updates and during previous maintenance performed on the sites analyzed by Thayer.
This may seem trivial to some, but Thayer warns they can seriously erode security by training users to ignore SSL warnings automatically generated by web browsers.
"Overall, SSL security certificates today suffer from the fact that they are one of the most exotic technologies that we all had to get working for the whole Internet revolution to happen. Since about 2003, almost every Internet user who's done this was just following a check list that got handed, so nobody's really been thinking of this as a security issue. Our research also reveals that there is not enough accountability in many organizations that should know better."
Other companies included in Thayer's findings include Intuit, Google (itself), Mercedes Benz, and even Adobe was found to also have security holes in at least three parts of some of its sites.
It will be interesting to see if the situation improves in the next year, and to what extent. At a time when almost all of today's business world is heavily relying on the Internet to perform so many business executions, sales, research and other mission-critical functions, the revelations offered by Canola & Jones and other similar security firms is worrisome to the say the least.
Source: Canola & Jones Security Consultants.
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing