Security @ Opera

Time for a third update on the status of TLS servers! Since our last report we've seen a big jump in the number of patched servers, and, according to our statistics, around 27% of servers should now be patched. The reason for this growth is, of course, that Microsoft released a patch for its servers three weeks ago.



Hopefully we will see more jumps in the coming months, since Ubuntu is scheduled to implement a patched version of OpenSSL as part of the Maverick Meerkat (AKA 10.10) release in October. We also hope Debian will soon update their stable releases with the patch, even though we know the Debian maintainers are careful about what they include in their stable branches. If we're lucky, we might "celebrate" the one-year anniversary of the publication of this security vulnerability with at least 50% of servers patched. We're certainly crossing our fingers!



For some reason, the release of Microsoft's patch has not seemed to reduce the rate of noncompliance (see Yngve's post about this). In our tests on Windows 7, the Microsoft patch seems to have been correctly implemented and compliant, but our statistics show that most of the noncompliant MS-servers are IIS 6.0, so there could be some problems with the patch for this specific version. It could also simply be due to our tests running into front-ends rather than the actual TLS servers. We need to do some further digging to figure out the source of the noncompliance.

Since the last report, we have also discovered we are not the only ones interested in the status of TLS servers across the world. Ivan Ristic, the person behind SSL Labs, presented an extensive survey of servers in July at Black Hat USA 2010. Slides from his presentation can be found at his blog . Similar to our survey, he scanned a wide range of servers in order to locate a representative selection of TLS servers, and he ended up with 850,000 entries. In his presentation, he mentioned that 20.53% of the found domains were patched, which we assume was near the date when the presentation was held (July 29). This is, in fact, a 5% higher percentage than our surveys from the same time indicate. We suspect that we may be testing slightly different things, but we are investigating the cause of the differences in measured patch rates and have contacted Ristic about comparing our data with his. Anyhow, we warmly welcome his research, since more eyes on the status of TLS can only help keep the Web more secure and speed up the patching.

Just to sum up the issues for those readers who have not followed our recent articles:

• Last November a hole in the TLS security protocol was publicized. The TLS protocol is the protocol behind all secure communication on the Web, most commonly used in HTTPS connections with for instance banks. To fix this hole, both clients and servers need to implement patches. Most browsers have now implemented patches and we are waiting for all server vendors to release patches and for server owners to install them.
• Since March this year, we have been probing around 400 000 TLS servers worldwide regularly, to find how many of these are patched. This sample is estimated to be around 1/8th of all TLS servers. When most servers are patched, we will disable and/or warn about insecure communication via unpatched servers.

Do you think we'll make 50% patched servers by November 5th? And, how long do you think it will take for 95% of servers to be patched? If you have other questions, please ask in the comments below.