The Trustworthy Internet Movement, a non-profit initiative formed in February to help address ongoing security issues on the internet, has unveiled its first project – an online dashboard called SSL Pulse that monitors the quality of SSL support across websites.
Launched at Infosecurity Europe yesterday, SSL Pulse is currently tracking just under 200,000 websites with valid certificates, representing the majority of SSL sites in the Alexa top one million list. Of those, only 50% get an A-grade and the rest could use improvement, according to TIM.
Anyone can use SSL Pulse to check whether a website has a secure SSL function and view a list of the best and worst performing sites.
Speaking at the event, Philippe Courtot, founder of TIM and chairman and CEO of Qualys – whose technology powers the platform – said the idea of Pulse is not to name and shame organisations which are not up to standard, but to raise awareness and provide tools for website owners to improve their SSL implementations.
“SSL promises security, but if not managed properly it gives users a false sense of security,” said Courtot. “If everybody knows, there are no excuses; anybody can see your grade and you can check any website on the planet in about a minute.”
According to current figures on Pulse, only 10% of all SSL-enabled websites are currently secure. Meanwhile, 40% support weak or insecure cipher codes, and only 8% have an Extended Validation certificate.
Ivan Ristic, director of engineering at Qualys, said the figures will be more meaningful once they have gained some historical context. However, he highlighted that 75% of sites are still vulnerable to the BEAST attack – which has been known about since 2004.
Courtot dismissed suggestions that the platform effectively provides a directory for hackers, claiming that hackers already have similar tools to crawl websites and detect vulnerabilities. He said that organisations with poor SSL support are “lucky that they haven’t already been compromised,” adding that Pulse would help them improve their security.
The issue of brand reputation was a little more hazy, although Courtot said there is a forum where organisations can submit problems.
Alongside the new platform, TIM announced has formed a taskforce of security experts to review SSL governance known issues and develop new proposals aimed at making SSL pervasive on the internet.
The taskforce includes PayPal CISO Michael Barrett, SSL creator Taher Elgamal, GlobalSign CTO Ryan Hurst, Google software engineer Adam Langley, Whisper Systems founder Moxie Marlinspike and Qualys’ Ivan Ristic.
“I talk to guys daily who are looking for a silver bullet, but the idea of a perfect security solution is foolish, there’s no such thing,” said Elgamal at the launch.
“The data that Pulse is going to provide to the industry is going to be very powerful, and give information to organisations on how to secure their infrastructure.”