In my previous post, I introduced Teus Hagens research on the security of SSL on sites in the Netherlands. Although it was quite shocking to discover that there are still major counseling sites that don't use SSL, the story isn't finished yet.
Even when a site has SSL, the configuration might allow insecure operations. In short several things might go wrong:
- The certificate can carry a wrong name, can be expired or can be issued by an authority that is not recognized by the browser.
- The configuration can allow old, broken, ciphers or it can allow too short key-lengths that allow brute forcing.
- The configuration can allow old, broken, protocols.
Each of these can effectively render the SSL useless. So you would expect the admins of SSL-sites to carefully configure the SSL on their site. Unfortunately they don't. The research of Teus Hagen has shown that one third of all sites in the Netherlands has serious flaws in their SSL. In healthcare and online counseling it is even worse: of the 40 assessed sites, over half of all sites has serious flaws. Only 7 sites reach an acceptable lever of security, with only passing with an 'A'.
So, using SSL is not the whole story, it should be implemented in the right way. And unfortunately not many people are aware of this.