Insecure websites to be named and shamed after checks By Mark Ward

Technology correspondent, BBC News Published duration 25 April 2012

image caption The project will show who has left a website more vulnerable to attack

Companies that do not do enough to keep their websites secure are to be named and shamed to help improve security.

The list of good and bad sites will be published regularly by the non-profit Trustworthy Internet Movement (TIM).

A survey carried out to launch the group found that more than 52% of sites tested were using versions of security protocols known to be compromised.

The group will test websites to see how well they have implemented basic security software.

Security fundamentals

The group has been set up by security experts and entrepreneurs frustrated by the slow pace of improvements in online safety.

"We want to stimulate some initiatives and get something done," said TIM's founder Philippe Courtot, serial entrepreneur and chief executive of security firm Qualys. He has bankrolled the group with his own money.

TIM has initially focused on a widely used technology known as the Secure Sockets Layer (SSL).

Experts recruited to help with the initiative include SSL's inventor Dr Taher Elgamal; "white hat" hacker Moxie Marlinspike who has written extensively about attacking the protocol; and Michael Barrett, chief security officer at Paypal.

Many websites use SSL to encrypt communications between them and their users. It is used to protect credit card numbers and other valuable data as it travels across the web.

"SSL is one of the fundamental parts of the internet," said Mr Courtot.

"It's what makes it trustworthy and right now it's not as secure as you think."

Compromised certificates

TIM plans a two-pronged attack on SSL.

The first part would be to run automated tools against websites to test how well they had implemented SSL, said Mr Courtot.

"We'll be making it public," he added. "Everyone is now going to be able to see who has a good grade and who has a bad grade."

Early tests suggest that about 52% of sites checked ran a version of SSL known to be compromised.

Companies who have done a bad job will be encouraged to improve and upgrade their implementations so it gets safer to use those sites.

The second part of the initiative concerns the running of the bodies, known as certificate authorities, which guarantee that a website is what it claims to be.

TIM said it would work with governments, industry bodies and companies to check that CAs are well run and had not been compromised.

"It's a much more complex problem," said Mr Courtot.

In 2011, two certificate authorities, DigiNotar and GlobalSign were found to have been compromised. In some cases this meant attackers eavesdropped on what should have been a secure communications channel.

Steve Durbin, global vice president of the Information Security Forum which represents security specialists working in large corporations, said many of its members took responsibility for making sure sites were secure.

"You cannot just say 'buyer beware'," he said.

"That's not good enough anymore. They have a real a duty of care."

He said corporations were also increasingly conscious of their reputation for providing safe and secure services to customers.