How secure is the secure web? SSL/TLS-server stats, part 2
By Audun Mathias Øygardamoygardopera. Wednesday, June 2, 2010 2:44:52 PM
We are a bit worried that the growth is not going faster than this, though. It even seems to have slowed down a bit. If the growth continues at the same pace, or slower, this means that all servers will not be patched earlier than the end of 2011. This is far too long for a potential security hole to be in the wild, in our opinion. We currently do not have a good overview of which of the big vendors are responsible for most of the unpatched servers, but we will definitely look into this and do what we can to push for faster patching.
Something else worrying we have discovered is that the majority (around 80-90%) of the patched servers have spec-violations in how they have implemented the renegotiation patch (or rather, the renegotiation extension).
Yngve has more details on the issue in a new article, and we are contacting those vendors that we have clearly identified as having implemented non-compliant patches.
We're also looking into some of the other specs of the servers we test. One of the things we have been interested in is the cipher suite using MD5 (128 bit ARC4-RSA/MD5). Since this cipher suite is expected to become significantly weaker soon, as mentioned earlier, we want to disable it soon. We have even been contacted by users who are wondering why we still support this cipher suite. First though, as with the renegotiation issue, we have to know how many servers this will affect i.e., how many servers support only this cipher suite. According to our "TLS prober", around 1% of servers accept only this cipher suite. This is a sizable portion of servers, and even includes at least some important online payment services (!), so we will have to wait a bit longer before we disable this cipher suite.
Do you have any ideas on how to make server owners patch their servers faster? Let us know in the comments!