All Sections

90 per cent of top websites aren’t secure say web safety campaigners

Big companies running unsafe websites will be named and shamed after 90 per cent of sites were failed to meet a new security standard.

The non-profit Trustworthy Internet Movement will publish a list of companies which don’t do enough to keep their websites secure from hackers.

They’re focussing on SSL – Secure Sockets Layer – the most common technology for preventing security breaches, which is often not updated to the latest version.

TIM surveyed 200,000 of the world’s most popular websites and found that only 10 per cent were really up-to-date and secure against either of the two known attacks on SSL.

The Trustworthy Internet MovementCrucially, SSL encrypts communication between websites and their users, scrambling valuable information like credit card numbers as it crosses the no-man’s-land of the internet.

Philippe Courtot, entrepreneur and chief executive of security firm Qualys, has bankrolled TIM with his own money.

“SSL is one of the fundamental parts of the internet,” Courtout told the BBC. “It’s what makes it trustworthy and right now it’s not as secure as you think.”

Courtot has recruited a team of experts to help with his security drive, including the inventor of SSL, Dr Taher Elgamal; Moxie Marlinspike, a ‘white hat’ hacker and expert on attacking SSL; and Michael Barrett, the chief security officer at internet payments giant Paypal.

One of TIM’s key tools is SSL Pulse, which runs a continual survey of the top 200,000 websites based on data from the Alexa web traffic monitor.

Just 52 per cent of sites receive an ‘A’ grade for their use of SSL, 13 per cent are exposed to an insecure renegotiation attack and 75 per cent are vulnerable to a BEAST attack on SSL.

The easiest ways for a company to improve its website security are to support the latest versions of the SSL and TSL, and use 1,024-bit security keys or better.

TIM is also pressing for better management at certificate authorities, which produce certificates that guarantee a website is genuine.

Without reliable certificates, criminals and hackers can impersonate a website and steal users’ data or eavesdrop on their communications.

In 2011, a hacker was able to force the certificate authorities Comodo and its affiliate DigiNotar to release certificates, and claimed to have hacked several other certificate authorities, although not all were found to have been compromised.