Un nou projecte per avaluar la qualitat dels llocs web amb SSL, SSL Pulse, no dibuixa un panorama molt encoratjador: el 75% dels llocs són vulnerables a l'atac BEAST i únicament un 10% dels llocs poden qualificar-se com a pròpiament segurs.
There is quite a bit of alarming data in what the project has gathered, and one of those pieces of information is that more than 148,000 of the sites surveyed are vulnerable to the BEAST attack, which was developed by researchers Juliano Rizzo and Thai Duong and disclosed last year. Their attack uses what's known as a chosen-plaintext attack against the AES implementation in the TLS 1.0 protocol and enables them to use a custom tool they wrote to steal and decrypt supposedly secure HTTPS cookies. The attacker can then hijack the victim's secure SSL session with a site such as an e-commerce site or online banking site.
The BEAST attack is complex, but it's a serious concern and the fact that three quarters of the top sites that the project surveyed are still vulnerable to the attack is troubling. Sites can protect against the attack by implementing mitigations in their TLS 1.0 deployments, including configuring their servers to only use the RC4 cipher during TLS 1.0 or SSL 3.0 sessions.
Al lloc web del projecte es pot verificar la qualitat del certificat per a qualsevol URL.