Up to 18 percent of servers using SSL (Secure Sockets Layer) encryption technology for Web site encryption are potentially vulnerable to hackers, with the problem being far more pronounced in Europe than in the U.S., according to the latest monthly survey of Web server usage conducted by Netcraft Ltd.
SSL is a common protocol for managing the security of message transmission on the Internet. Browser-based SSL technology is most secure if the server's public key, used to guarantee the authenticity of a transaction, is at least 1024 bits long. The use of shorter keys makes it easier for hackers to break the key and impersonate the server, the Bath, England-based company said Tuesday in a survey posted on its Web site.
Currently, about 60 percent of all Web sites using the SSL technology are based in the U.S. and approximately 15.1 percent of those sites are using short keys, Netcraft said.
The proportion of Web sites using potentially vulnerable SSL keys becomes even larger outside of the U.S., the study found. In France, 41.1 percent of SSL sites use the shorter keys, followed by 31.9 percent in Spain and 26.5 percent in the U.K., Netcraft said.
In Canada, 13.5 percent of SSL Web sites are using short keys, the study said.
Although the U.S. government has eased export restrictions on strong cryptography, earlier restrictions are still having an effect on Net security today, said Netcraft.
"The U.S. export legislation and locally acted legislation to restrict the use of cryptography in countries with repressive or eccentric administrations, does still cast a shadow over the security of e-commerce even years after the acts have been repealed," Netcraft said.
Not only did previous laws in the U.S. restrict the bit length for the SSL keys to 512 when the technology was to be exported from the U.S., but there were similar laws in other countries, such as France, that imposed the same restrictions, according to Ian Peacock, a security consultant for Netcraft.
"Though that law has been relaxed in the U.S. and elsewhere, it is still having a knock-on effect in terms of security today. Companies for example want to make sure that Web sites work with legacy servers and systems and therefore go with the 512-bit SSL key," Peacock said.
Because it is not obvious to the end user what a server's choice of cryptography is or how many bits are being used in a Web site's SSL encryption key, there is little pressure from end users to improve such security, the survey said. Presently, lock symbols are displayed in browser windows during SSL sessions to indicate that a site is secure, no matter what the length of the key is.
Netcraft suggested that browser developers could help improve future security by displaying a graded indication of key length.
"Unfortunately, for the end user, it's not extremely easy to check if an SSL encryption key is 1024 bits. Users can configure their browser to only accept 1024 certificates, but you do need to have at least some basic technical knowledge to be able to do that and the average end user either won't know how to do it or won't bother. The good news is that within the industry itself, there is an increasing move from 512 bits to 1024 bits," Peacock said.
He also pointed out that the problem isn't just with SSL technology. The TLS (Transport Layer Security) protocol, which is the successor to SSL, can also suffer from a similar security problem because it has to be backwards compatible with Web sites and servers, Peacock said.
Netcraft did not have numbers to indicate what percentage of Web sites in North America and Europe that use TLS technology are vulnerable to hackers.
"For both SSL and TLS, there has been talk in the developer community to build browsers that indicate how strong the security connection is and it doesn't seem that would be too difficult to achieve," Peacock said.