Hi malware fighters,
Many websites operate using outdated or malconfigured SSL-certificates and therefore are vulnerable to attacks, these are the conclusions from a survey to appear later this month. Rodney Thayer will make a presentation on his survey-results during the Chaos Communication Congress (CCC) in Berlin
(Dec. 27-30). It concerns dozens of problems found in SSL-certificates. "I show some web shops providing both access to wxw.shop.com as shop.com as well. They think this is helping users, but it can hamper SSL-certificates grand time."
Also Thayer found numerous sites with outdated certificates or using outdated vulnerable technologies like SSL 2 or 40-bit RC-4. "There is absolutely no reason to use SSL 2 any longer, where everybody knows it is "broken". In most cases using RC-4 can be a reason for a retailer to fail a PCI audit. One should not see these types of technologies anymore."
Check and double-check
Next to implementation problems also better standards should be brought in for certificate authorization suppliers. "During my survey I have found 247 legit certificate authorities, varying from the well-known Verisign organization to a small organization in Turkey that hands out free certificates almost "on the fly".
No Industrial Standards existing at the moment for certificate authority."
While certificate authorities does not always verify the validity of a certificate, firms should do this themselves on a regular basis, according to mentioned researcher. Users are advised to no longer ignore browser pop-ups and warnings. "Check your SSL-connection before you send sensible data." In Firefox you can use the Perspectives add-on to check verification and SSL Blacklist plug-in,
