Daily cyber threats and internet security news: network security, online safety and latest security alerts
December 15th, 2008

SSL Encryption Certificates Used To Protect Websites Flawed, Affected Sites Include US Central Intelligence Agency, NASA, The World Bank

A security researcher with Canola & Jones, Rodney Thayer, uncovered flaws in the encryption certificates used to protect the websites of hospitals, banks, and even top-secret government spy agencies, in his research. The founding raising questions about compliance with regulations requiring them to adequately safeguard their online visitors.

Security sockets layer (SSL) was developed in the mid 1990s as a measure to prevent websites that transact commerce or other sensitive business from being spoofed by attackers intent on defrauding visitors. It uses cryptographic certificates that mathematically validate that the site is operated by a particularly company or organization.

Using search queries typed into Google, the researcher found 31 sites maintained by the US Central Intelligence Agency, NASA, the World Bank, and Fortune 500 companies that used flawed security sockets layer certificates for authentication.

Among flawed sites there was a page for partner accounts offered by technology website CNET and an application page offered by Gartner, a company that dispenses advice on a host of security issues. Other organizations using defective certificates included the US Computer Emergency Readiness Team, Advanced Micro Devices, Intuit, Google, Mercedes Benz, Adobe and Microsoft.

In many cases, the certs identified by Thayer have expired. In other cases, they use an insecure version known as SSL 2, an obsolete algorithm known as 40-bit RC-4 or certificates that are misc-configured. In some cases, the dysfunctional forms accompany web addresses that webmasters long abandoned. This may seem innocuous, but Thayer warns they can erode security by training users to ignore security warnings automatically generated by web browsers.

SSL “suffers from the fact that it’s one of the exotic technologies that we all had to get working for the whole internet .com thing to happen,” Thayer says. “Everybody basically for the last 5 years at least who’s done this was just following a check list that got handed, so nobody’s really been thinking of this as a security issue.”

The Federal Information Processing Standards require federal agencies to use valid SSL certificates for webpages that accept employee logins. The Health Insurance Portability and Accountability Act and Payment Card Industry rules place similar requirements on health care providers and online merchants.

Credit: The Register

Share this article with others:

More on CyberInsecure:
  • Internet’s Digital Certificate System Weakness Allows Trusted Web SSL To Be Faked
  • Cross-Site Scripting Vulnerability On Paypal Could Be Used In Phishing Attacks
  • iPhone Vulnerable To Remote Attack On SSL
  • Opera Software Patches Vulnerabilities In Opera 9.64 And Adds Anti-exploitation Mechanisms
  • Preventing Email Vulnerabilities In The Business World

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: SSL Encryption Certificates Used To Protect Websites Flawed, Affected Sites Include US Central Intelligence Agency, NASA, The World Bank

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.