Unsecure websites to be 'named and shamed'

Published Apr 25 2012, 11:54 BST  |  By

A computer keyboard

© stock.xchng

Companies and brands that do not take sufficient actions to ensure their websites are secure are to be 'named and shamed' in a bid to improve web security.

Non-profit agency the Trustworthy Internet Movement (TIM) has confirmed plans to publish a list of good and bad sites on a regular basis.

The group intends to test how well websites have implemented basic security software as part of efforts to make the web safer.

It has focused initially on technology known as the Secure Sockets Layer (SSL), which is widely used to encrypt communications, such as financial information.

But TIM's founder Philippe Courtot, the chief executive of security firm Qualys, said that SSL is not as effective as people think it is.

"SSL is one of the fundamental parts of the internet," he told BBC News. "It's what makes it trustworthy and right now it's not as secure as you think."

Courtot hopes that TIM, which has recruited a number of internet security specialists, will be able to "stimulate some initiatives and get something done".

The group will make its research and findings public, as Courtot puts it, to show "who has a good grade and who has a bad grade".

The organisation has already introduced SSL Pulse, a continuously updating online dashboard that shows the "state of the SSL ecosystem at a glance".

Early data suggests that 50% of the almost 200,000 popular websites monitored ran a version of SSL known to be compromised.

Many of the sites deemed to have 'A-grade' secure SSL status were noted to still support "insecure renegotiation", or were "vulnerable" to an attack known as BEAST.

Companies that are under-performing will be encouraged to improve and upgrade their security.

TIM will also call on certificate bodies, such as DigiNotar and GlobalSign, to improve their practices and ensure that websites are what they claim to be.

In a blog post, TIM associate and Qualys director Ivan Ristic said: "While it is possible today to deploy SSL and to deploy it well, the process is difficult: the default settings are wrong, the documentation is lacking, and the diagnostic tools are inadequate.

"For these reasons, we cannot say that the Web is yet secure, but we hope that someday it will be.

"The purpose of SSL Pulse is to bring visibility to SSL implementation issues on the web, and while businesses are starting to fix these issues we can keep track of progress made towards making SSL more robust and widely adopted on the internet."

> Mac Trojan still affecting 140,000 machines, says Norton