SSL Encryption Certificates Used To Protect Websites Flawed, Affected Sites Include US Central Intelligence Agency, NASA, The World Bank
A security researcher with Canola & Jones, Rodney Thayer, uncovered flaws in the encryption certificates used to protect the websites of hospitals, banks, and even top-secret government spy agencies, in his research. The founding raising questions about compliance with regulations requiring them to adequately safeguard their online visitors.
Security sockets layer (SSL) was developed in the mid 1990s as a measure to prevent websites that transact commerce or other sensitive business from being spoofed by attackers intent on defrauding visitors. It uses cryptographic certificates that mathematically validate that the site is operated by a particularly company or organization.
Using search queries typed into Google, the researcher found 31 sites maintained by the US Central Intelligence Agency, NASA, the World Bank, and Fortune 500 companies that used flawed security sockets layer certificates for authentication.
Among flawed sites there was a page for partner accounts offered by technology website CNET and an application page offered by Gartner, a company that dispenses advice on a host of security issues. Other organizations using defective certificates included the US Computer Emergency Readiness Team, Advanced Micro Devices, Intuit, Google, Mercedes Benz, Adobe and Microsoft.
In many cases, the certs identified by Thayer have expired. In other cases, they use an insecure version known as SSL 2, an obsolete algorithm known as 40-bit RC-4 or certificates that are misc-configured. In some cases, the dysfunctional forms accompany web addresses that webmasters long abandoned. This may seem innocuous, but Thayer warns they can erode security by training users to ignore security warnings automatically generated by web browsers.
SSL “suffers from the fact that it’s one of the exotic technologies that we all had to get working for the whole internet .com thing to happen,” Thayer says. “Everybody basically for the last 5 years at least who’s done this was just following a check list that got handed, so nobody’s really been thinking of this as a security issue.”
The Federal Information Processing Standards require federal agencies to use valid SSL certificates for webpages that accept employee logins. The Health Insurance Portability and Accountability Act and Payment Card Industry rules place similar requirements on health care providers and online merchants.
Credit: The Register
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.