SSL certificates and encryption are supposed to protect websites and users, but there is a catch. For SSL (secure sockets layer) to work properly it needs to be properly configured. According to new research from security firm Qualys presented at the Black Hat security conference last week, the majority of SSL secured sites are not in fact fully secured. The new Qualys research builds on a study that Qualys did last year that found configuration issues with SSL certificates.
“Initially we enumerated all public SSL servers and we looked at how they were configured, but there was always something missing,” Ivan Ristic, security researcher at Qualys, told InternetNews.com. “That missing ‘thing’ was that we wanted to perform a deep analysis of how Web applications are implemented.”
Ristic noted that there are many things that can be done incorrectly at the Web application level to negate SSL security. As part of the Qualys study, Ristic analyzed the 300,000 most popular SSL secured sites in the world, looking for SSL related flaws and found a number of SSL flaws including the use of insecure cookies as well as mixing insecure traffic in with secured traffic.
“In examining the 300,000 websites we looked for those that redirect to SSL immediately, since that’s the only way to be secure,” Ristic said. “If you have a mix between some portion of encrypted and unencrypted than you’re at risk from session hijacking.”
The Qualys survey found that only 20 percent of the surveyed sites properly re-directed to SSL, leaving 80 percent or 240,000 sites at risk. “We didn’t have to try very hard to find problem when we did this research as problems are everywhere,” Ristic said.
The other issue that Ristic found was that most forms on the surveyed sites, where users enter data were unencrypted. According to Qualys’s survey, 54 percent of surveyed sites that had a login form, sent the form data over insecure HTTP.
“That means that if you’re in a rogue environment an attacker could modify a form on the fly without you noticing,” Ristic said.
The usage of declarative protection measures was another key area of Web application security that the Qualys study examining.
“Declarative protection measures are items that developers don’t need to be aware of and are items that a system administrator can often configure,” Ristic said. “Declarative protection measures tell browser what to do, and what not to do.”
One example of a declarative protection measure is the use of the secure flag for cookies. Ristic explained that even for sites that are 100 percent SSL encrypted, if they don’t set the secure flag on their session cookie, those cookies can be sniffed by an attacker.
“There is a trick that you employ as a man in the middle, where you basically force the victim’s browser to give you the session value for a cookie,” Ristic said.
Ristic explained that the secure cookie flag is supposed to be set in the application itself. Setting a secure cookie is as easy as adding the word ‘secure’ in the settings for the cookie. Qualys’ examination only found that 14,506 or approximately six percent of their survey base had properly configured secure cookies. Put another way, 94 percent of SSL cookies could be at risk.
“There are so many of these problem and no matter how you slice it, so many sites are vulnerable,” Ristic said.
There is however a solution to fix the problem.
“If you’re a server administrator running Apache you can use mod_headers to rewrite outgoing cookies to make them secure,” Ristic said. “You could secure an otherwise insecure application with that approach.”
Source: eSecurity Planet