has more than half of all SSL servers running older insecure versions of SSL, the black hat conference detailed analysis of attacks against HTTPS browser sessions.
SSL website on the good news is that most SSL sites are running a powerful encryption technology. The bad news is: more than 60% of the site is not configured properly. Qualys engineering, network application firewall and SSL executives and researchers Ivan Ristic announced his research results on the 120 million registered domain name. Ristic found that the domain name registration 20 million SSL, while only 720 thousand may contain a valid SSL certificate, "this is a very small proportion, but it does not really mean only a small part of the site in the use of SSL, as far as we know," said Ristic.
more to the point is that, in all SSL sites, more than half of the use of SSLv2, which is older version of the SSL, and unsafe. Only 38% of the SSL sites are well configured, while the 32% contains a prior exposure to the renegotiation vulnerability in the agreement.
at the same time, researchers Robert Hansen Josh Sokol detailed description of the browser’s HTTPS/SSL 24 kinds of use of technology, the use of the middle man attack. These include: Cookie poisoning and injecting malicious content into the browser tab. The researchers warn that HTTPS does not guarantee the confidentiality and integrity of the browser.
"day does not fall down, but at the moment, SSL is quite fragile," Hansen in the black hat conference said, "to have the appropriate label cookie sandbox isolation, etc.." He recommends using a separate browser to access Web sites that contain sensitive information.
at the same time, Ristic said that although the state of the SSL site in terms of security is very general, but now SSL is rarely attacked by attackers. "I don’t think that SSL is the most common attack vector, because there are many more vulnerable objects, and now we should begin to fix the SSL problem, which can be fixed."
2/3 SSL site is using the default settings, which makes them very vulnerable to attacks, "in order to solve this problem, you should be vigilant, and talk to the end user or supplier, and see whether you can achieve a better configuration, which is probably more feasible solutions," said Ristic. For example, the default support for an insecure protocol on a SSL server is a common error problem.
"to configure the SSL server takes only 15 minutes to select the key size for the certificate, disable the security protocol, and disable the insecure password."
and insecure SSLv2 are vulnerable to an intermediary attack, although the version of SSL is in most mainstream browsers