Risky websites to be named and shamed

A new online tool aims to draw attention to websites with insecure implementations of SSL, the encryption protocol that is widely used for online authentication.The 'Pulse' tool, part of the Trustworthy Internet Movement (TIM), allows the public to type in web addresses to find out whether the organisation has good SSL security.

A new online tool aims to draw attention to websites with insecure implementations of SSL, the encryption protocol that is widely used for online authentication.

HTTPS website

The 'Pulse' tool, part of the Trustworthy Internet Movement (TIM), allows the public to type in web addresses to find out whether the organisation has good SSL security.

According to the 'Pulse' tool, the UK Direct.gov web portal, used by UK citizens for financial transactions such as renewing car tax discs, does not have valid certificates for its domain.

Pulse has been set by the Trustworthy Internet Movement (TIM), and allows the public to type in web addresses to find out whether the organisation has good SSL security. It also lists badly performing sites, in an effort to encourage the site owners to implement SSL properly, according to TIM-backer and Qualys chief executive Philippe Courtot.

It was frustrating to see how many sites did not have SSL properly implemented.

– Philippe Courtot

"We started to analyse the security implementation of SSL," Courtot told ZDNet UK at the Infosecurity Conference on Wednesday. "It was frustrating to see how many sites did not have SSL properly implemented."

SSL and its successor TLS are widely used online to authenticate transactions between browsers and websites. Web browsers and servers use TLS to prevent eavesdropping or tampering with a communication. Taher Elgamal, a cryptographer credited with co-inventing TLS, told ZDNet UK on Wednesday that one of the dangers of websites not using SSL correctly is that the websites could be spoofed.

"A user would go to a site thinking it was [legitimate], and it's not — actually, it's not your bank, it's a spoofing attack," said Elgamal.

Pulse samples and assesses around 200,000 of the most popular websites every month, Qualys director of engineering Ivan Ristic told an event at the Infosecurity Conference. The tool is based on Qualys's SSL Labs technology.

TIM has not attempted to contact all of the website owners that are listed on Pulse, Ristic told ZDNet UK. However, website owners that are listed by the tool can appeal through SSL Labs.

"It has not been possible to notify all these companies," said Ristic.

People involved in TIM include Courtot, who put up $500,000 of his own money to back the movement, Elgamal, Ristic, GlobalSign chief technology officer Ryan Hurst, PayPal chief information security officer Michael Barrett, security researcher Moxie Marlinspike, and Google software engineer Adam Langley.

Hurst told ZDNet UK that the tool would not be any more useful to hackers than freely available SSL testing tools.