We're a long, long way from securing the Web with SSL/TLS

We're a long, long way from securing the Web with SSL/TLS

Summary: It sounds so simple: Just use SSL or TLS for secure Web connections. So, why are 99 out of the world's top 100 Web sites not automatically securing their connections?

SHARE:

Firesheep can certainly be mis-used as a hacking tool. It was meant, however, to serve up as a wake-up call to everyone that Web site managers were doing a lousy job of securing their Web sites. How has that worked out? Not well at all as far as I can tell.

I, and lots of other people, have written lots of stories about what you can do to protect yourself from Firesheep; how to keep your Wi-Fi connection safer; and what Web site administrators need to do to secure their sites. So, I'm sure some people at least are trying to practice safe Interneting. But, what about the Web hosting companies and the major Web sites? Eh, not so much.

Over at the official Firesheep Google group, there's a whole 143 messages, and most of them are technical support style questions. I don't see a single message about how would someone go about securing their Web server. Mind you, there's no rocket-science to how to start using Transport Layer Security (TLS) and Secure Sockets Layer (SSL) or TLS/SSL over HTTP (HTTPS). But, you'd think someone would ask. They haven't.

Far more telling is AccessNow's analysis of the top 100 Web sites. According to AccessNow, a group devoted to the belief that the realization of human rights and democracy in the twenty-first century depends on Internet access, only one of the 100 most popular Web sites currently use TLS/SSL correctly.

The one site that does get it right is PayPal. There, both your login and all your activities are protected by encryption.

Other sites will let you force a secure connection with the use of Firefox extensions such as include HTTPS Everywhere and Force TLS. But, there are fewer of them than you might think and not all their pages are protected by HTTPS.

AccessNow's Website spreadsheet (XLS format), shows that only Adobe; Hotfile, a file hosting site; Mozilla; and GoDaddy will let you manually protect all your Internet activities Other popular sites, such as Google, Facebook, and YouTube, will let you manually protect some, but not all, your activities on their sites.

The vast majority of popular Web sites, including Baidu, the Chinese search engine; Wikipedia; and the various national versions of Google, such as Google India and Google Hong Kong don't offer encrypted connection protection. In Google's case, according to AccessNow and my own tests, if you try to force the use of a secure connection on a national site all that happens is that you're redirected to a non-encrypted U.S. Google site. Not good.

How can we fix this? AccessNow suggests that we sign a petition, saying: "To the executives of the world's 100 most visited websites, we demand privacy and security for everyone everywhere and call upon you to immediately install HTTPS security on all pages of your websites."

That's not a bad idea. I don't think it will work mind you, but I think it's still worth trying. The only way I really see most Web sites installing automatic security connection protocols is after some users lose important information on their sites to someone using Firesheep or a real network protocol sniffer tool. Then, after the Web site has their their sued pants off, and only then, will they finally spend the money to update their sites.

In the meantime, just watch what you say on-line. On most Web sites, most of the time, you never know who's listening.

Topics: Software Development, Browser, Google, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • are you guys hiring proof readers?

    "only 99 of the 100 most popular Web sites currently use TLS/SSL correctly."
    SonofaSailor
    • RE: We're a long, long way from securing the Web with SSL/TLS

      @SonofaSailor yup that was a major stuff up, if you weren't being careful you might not realise it was obviously supposed to be 1 out of 100.
      No doubt someone will miss it.
      kurt@...
  • RE: We're a long, long way from securing the Web with SSL/TLS

    you are the worst writer ever. please quit.
    grimmer101
  • RE: We're a long, long way from securing the Web with SSL/TLS

    And what happens when one tries:

    https://www.zdnet.com/

    (Firefox)
    The connection has timed out

    The server at www.zdnet.com is taking too long to respond.

    * The site could be temporarily unavailable or too busy. Try again in a few moments.

    * If you are unable to load any pages, check your computer's network connection.

    * If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
    7mgte
    • Touch?!

      @7mgte Good catch on the https. But this is ZDNet after all - "Do as I say, not as I do." is the functioning motto."
      shis-ka-bob
  • RE: We're a long, long way from securing the Web with SSL/TLS

    It is extremely true that we are an extremely long way from secure content on the web. Facebook in particular is extremely insecure and has almost become unusable today. With the latest firesheep attack, these flaws have been deomstrated. I feel users should quit facebook and join a safer social networking platform like Diaspora or perhaps MyCube as they at least offer complete control over user content
    craigmiller123
  • Why

    Why does sites like Wikipedia need security?, except perhaps for authors/editors.

    OTOH, any site that takes credit card numbers is arguably criminally negligent if they don't.
    wkulecz
  • RE: We're a long, long way from securing the Web with SSL/TLS

    GMail is not in the Top 100 most visited sites?
    aep528
    • Gmail isn't a discrete website

      You're right that gmail, as a service, allows HTTPS throughout. But it doesn't run on it's own domain; it runs off google.com or a regional/national equivalent. I would imagine that's why it doesn't get counted as one of the top 100.
      aaronvanderwal
  • The world is not perfect

    ... so I'm having to pay for a VPN service to ensure my security. Thank God we at least have this option.
    OldGuru
  • RE: We're a long, long way from securing the Web with SSL/TLS

    Uh, AccessNow isn't a secure site.
    DaveDonaldson
  • RE: We're a long, long way from securing the Web with SSL/TLS

    >> "Then, after the Web site has their their sued pants off . . ." <<
    There, there; take your sued pants off, and you'll feel all better. (Not that I ever make mistakes, of course, but I thought this one was funny.)

    -- Tim McGowan
    TimothyMcGowan