Internet SSL Survey 2011

Bruce Morton

Qualys SSL Labs has released its Internet SSL Survey Results for 2011, which were presented at Hack In The Box Amsterdam. The study focused on problems that break SSL due to poor website implementation — insecure session cookies, mixed content, incorrect site configuration and distribution of trust to third-party sites.

The 2011 survey cross-referenced the Alexa top 1 million websites with the data from the EFF SSL Observatory that amounted to more than 300,000 SSL sites. Then a custom Web crawler was built to examine how the sites were deployed. The results are not all that positive:

  • Only 32 percent of SSL sites were configured well enough to be graded an “A”
  • 57 percent of SSL certificates use 1024-bit RSA keys or less; minimum 2048-bit is recommended
  • Virtually all SSL certificates are signed using SHA1 RSA hashing algorithm. Use of vulnerable MD5 has virtually been eliminated, while SHA2 has barely started deployment. (Note that NIST recommends using SHA2, but industry support for SHA2 is still lagging.)
  • Close to 50 percent of trusted servers support the insecure SSL v2 protocol; there is virtually no support for TLS v1.1 or v1.2
  • 63 percent of servers support weak ciphers of less than 128 bits
  • 35 percent of servers support insecure SSL renegotiation
  • Only 21 percent of sites redirect to SSL authentication
  • Only 15 percent of sites use secure session cookies only
  • 22 percent of sites use mixed (HTTP and HTTPS) content
  • Only one third of login forms are protected with SSL

In the final analysis, Internet security can be greatly improved if website operators use SSL and deploy it properly. I recommend the following:

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

1 Comment

Add to the Conversation