SSL certificates and encryption are supposed to protect websites and users, but there is a catch. For SSL (secure sockets layer) to work properly it needs to be properly configured. According to new research from security firm Qualys presented at the Black Hat security conference last week, the majority of SSL secured sites are not in fact fully secured. The new Qualys research builds on a study that Qualys did last year that found configuration issues with SSL certificates.
“Initially we enumerated all public SSL servers and we looked at how they were configured, but there was always something missing,” Ivan Ristic, security researcher at Qualys, told InternetNews.com. “That missing ‘thing’ was that we wanted to perform a deep analysis of how Web applications are implemented.”
Ristic noted that there are many things that can be done incorrectly at the Web application level to negate SSL security. As part of the Qualys study, Ristic analyzed the 300,000 most popular SSL secured sites in the world, looking for SSL related flaws and found a number of SSL flaws including the use of insecure cookies as well as mixing insecure traffic in with secured traffic.