VNU Net: Weak Security Found in Many Web Servers
By John Leyden, VNU Net Murray explained that these weak servers either support only the flawed SSLv2 protocol, use weak encryption, or have expired or self-signed digital certificates. 'These weaknesses make the transactions that are protected by these servers easy to attack with modern key-cracking and/or hacking attacks,' said Murray, who added that there is no good reason for sites not to address the problems he has highlighted.
One in three supposedly secure ebusiness servers are using software with known security weaknesses, and European sites are the worst offenders, according to a survey.
Eric Murray, a consulting security architect based in the US, found that in a random sample of more than 8000 web servers running the SSL protocol, 32 per cent were "dangerously weak."
Murray explained that these weak servers either support only the flawed SSLv2 protocol, use weak encryption, or have expired or self-signed digital certificates.
"These weaknesses make the transactions that are protected by these servers easy to attack with modern key-cracking and/or hacking attacks," said Murray, who added that there is no good reason for sites not to address the problems he has highlighted.
There is no technical or legal reason to limit secure servers to using only SSLv2, since SSLv3, which corrects known weaknesses, is available. Since US export regulations were relaxed in January to allow the export of 128bit cryptographic products, there is also no reason to support only 40bit cipher suites or 512bit RSA keys.
The survey revealed that security of European servers is particularly weak, because many still used web servers obtained before the export restriction were relaxed. This was found to be particularly the case for sites running Microsoft's Internet Information Server rather than those running Apache.
The fact that many sites are vulnerable for no good reason is, according to Murray, explained by a tendency for businesses not to update their security software until websites become breached.
"Many sites don't bother to update or patch software, even when it is readily available, until they're forced to do so because someone has broken in. Until then, they are still open to well-known vulnerabilities," said Murray.
Matt Tomlinson, business development director at IT security consultancy MIS Corporate Defence, said the survey is one of the most comprehensive he had come across, and said the figure of a third of so-called secure websites actually being insecure matched the experience of MIS in the UK.
"Even if a web server is secure that is not the end of the issue. There is also the possibility of backdoors into a network, and hackers will not always go to the obvious point when they launch attacks," said Tomlinson.
Want to discuss security and Apache with other Apache Today readers? Then check out the discussions at Apache Today Discussions.