SSL Pulse starts beating
The Trustworthy Internet Movement has launched SSL Pulse, a "real time" dashboard as part of an initiative to improve the quality of SSL implementations in use on the web. The Trustworthy Internet Movement (TIM) is a non-profit launched by the chairman and CEO of Qualys, Philippe Courtot, in February at the RSA conference. Its next step, it has decided, is to create a TIM SSL Taskforce to look at SSL governance and implementation across the internet.
The taskforce includes Michael Barrett, CISO at Paypal; Taher Elgamal, CIO at IdentityMind and one of the creators of the SSL protocol; Ryan Hurst, CTO at GMO GlobalSign Inc; Adam Landley, Staff Engineer at Google working on SSL/TLS in Chrome and on the companies services; Moxie Marlinspike, Whisper Systems founder (recently acquired by Twitter) and creator of Convergence; and, Ivan Ristić, Qualys' Director of Engineering and creator of SSL Labs. The team will be providing objective reviews of proposals to fix the issues that surround SSL and Certificate Authority ecosystems and look to identify recommendable solutions to those problems.
It is Ristić's SSL Labs research and the tools used for that research which is being used to power the SSL Pulse project. The system tracks nearly 200,000 high profile web sites from the Alexa top one million site list and evaluates their SSL implementation on a regular basis. Around half the sites get an A rating, while the others could do with some degree of improvement.
In his blog, Ristic says that this is a good result as previous surveys reported only 33% well-configured sites and he suggests the more popular sites are better configured. Of the A-grade sites though, 8.5% still support insecure renegotiation and 72.4% are vulnerable to the BEAST attack despite solutions being available. That says Ristic leaves only 9.6% of all sites that are "genuinely secure at this level of analysis".
- IronBee, Community and SSL: An interview with Ivan Ristić, a feature from The H.