CNET tech sites: Price comparisons | Product reviews | Tech news | Downloads | Site map
Front PageEnterpriseE-BusinessCommunicationsMediaPersonal TechnologyInvestor

News.context: Special Reports | Newsmakers | Perspectives
 
Beware of Web servers' weak security standards
By Brian Livingston
September 15, 2000, 4:00 AM PT


Weak security standards have led to personal information being subject to interception at almost one-third of e-commerce Web servers, according to a new study.

Eric Murray, a computer security consultant based in Los Gatos, Calif., wrote the study after testing numerous "secure" Web servers listed in search engines.

Murray tested the security standards at 8,081 randomly selected servers, all of which used some form of encryption to protect information such as credit card numbers. He categorizes 31.5 percent of them as "weak," meaning that they use obsolete encryption methods that have been broken by hackers or have other flaws.

Some of the weak servers include machines operated by well-known online brokerages, banks, e-tailers and government agencies.

Murray said two weak e-commerce servers, "pecos.egghead.com" and "www.onsale.com," use digital encryption "keys" that are too short to provide the best security. (Egghead and Onsale merged into a single company last November.)

Priya Mistry, a representative for Egghead, acknowledged the problem.

"Along with other initiatives, we plan to increase our current 40-bit encryption to a 128-bit encryption system in the near future," Mistry said.

Problems that earn a weak server rating in the study include:

 Encryption keys that are too short. The length of the code number, or "key," that servers use to encrypt data is crucial to keeping people's personal information safe. Longer keys are harder for intruders to crack than shorter keys.

A key length of 56 bits, used in a technique called the Data Encryption Standard, was cracked in July 1998 by the Electronic Frontier Foundation. Security consultants now recommend the use of much lengthier keys.

 Using obsolete software. Most secure servers today use a standard called SSL (Secure Sockets Layer) Version 3 or a newer protocol called TLS.

Weak servers, by contrast, use an older standard, SSL Version 2. This obsolete software allows an intruder with access to an Internet service provider to read or change data, such as credit card numbers, that consumers give to servers that are supposedly secure.

The release of SSL Version 3 software in early 1997 fixed the weaknesses of SSL Version 2. But three years later, not all secure servers have been upgraded.

 Using bad server certificates. Secure servers identify themselves to browsers using "server certificates" issued by several independent bodies. These bodies vouch for the reputation of the holder of each certificate.

Unfortunately, server certificates can expire without being renewed, and some companies make up their own "self-signed" certificates. Servers identified in the study as weak use certificates that are expired or self-signed. These certificates give consumers no independent assurance of a server operator's reputation for honesty.

Murray concedes that some Web servers have more serious security flaws than the ones analyzed in his latest study. But he said he feels the problems he is calling attention to are important because most of the servers he studied are handling personal financial information.

"It's probably a safe bet that about 50 percent of them are doing some kind of credit card authorization," Murray said.

To help consumers determine whether the secure servers they use are weak, strong or in-between, Murray invites surfers to analyze the strength of any Web server for free.

The analysis, which takes as long as 60 seconds to perform, includes a detailed breakdown of a Web server's security features. This includes the version of SSL that a server uses, the length of its encryption keys and more.

At the end of each server analysis, Murray's program delivers a pithy security verdict: weak, medium or strong. A knowledgeable person can interpret the detailed report to develop his or her own ranking system if desired.

Here is the link to Murray's test page. You might want to use this page to test various banking and e-tailing servers before you hand over your credit card number.

Consumer advocate Brian Livingston appears at CNET News.com every Friday. Do you know of a problem affecting consumers? Send info to tips@BrianLivingston.com. He'll send you a book of high-tech secrets free if you're the first to submit a tip he prints.

 
More Perspectives


on the soapbox
Brian Livingston has published 10 books, including "Windows 2000 Secrets" and "Windows Me Secrets." He has been a contributing editor at PC World, Windows Magazine, InfoWorld and other magazines for more than 10 years. Before his work as an author, Livingston was a management consultant advising financial institutions on computer technologies. In 1991, he received the Award for Technical Excellence from the National Microcomputer Managers Association for his efforts to develop standards in the computer industry.


 Search
 
   

Latest Headlines
display on desktop
GE sparks market rally
Loss grows for Corel
Microsoft puts a price on IM features
Prices fall for CD rewritable drives
Homestore execs agree to plead guilty
Hotwire double-bills customers
Penguin on the prowl
Web leak of Linux lets Hat out of the bag
PayPal goes international
Who's living large at Terra Lycos?
Crooks will still be crooks
Handspring lays off 20 percent
Nvidia chips grease faster PC link
Bell Labs fires researcher
Enron auction hampers DoveBid site
China arrests Web writer for subversion
Vivendi lays out new strategy
Study: Stop trying to lock out pirates
Computer makers gird for holiday battle
Ulead updates photo software
This week's headlines

News Tools
Get news by PDA
Get news by mobile
Listen live to CNET Radio

CNET newsletters

News.com Daily Dispatch

News.context (weekly)

Investor Daily Dispatch

Week in Review





All newsletters | FAQ
Manage my newsletters

Send us news tips | Contact Us | Corrections | Privacy Policy

   Featured services: CNET SearchBar | Hosting Providers | IT Resources | Back to School Guide | Tech Jobs   
  CNET Networks: Builder.com | CNET | GameSpot | mySimon | TechRepublic | ZDNet About CNET  

Copyright ©1995-2002 CNET Networks, Inc.All rights reserved. CNET Jobs