90% SSL websites are vulnerable to the BEAST SSL attack

Trustworthy Internet Movement (TIM), 90% of the websites running on HTTPS enabled secure protocol are vulnerable to the SSL attack, BEAST.

90% SSL websites are vulnerable to the BEAST SSL attack


According to the latest cyber report by the Trustworthy Internet Movement (TIM), a nonprofit organization dedicated to solving Internet security, privacy and reliability problems, 90% of the websites running on HTTPS enabled secure protocol are vulnerable to the SSL attack, BEAST.

This report is based on the data provided by SSL Pulse project. This project scanned top 1 million websites with the automated scanning technology developed by security vendor Qualys and then generated a report on strength of HTTPS implementations.

It checks what protocols are supported by the HTTPS-enabled websites (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, etc.), the key length used for securing communications (512 bits, 1024 bits, 2048 bits, etc.) and the strength of the supported ciphers (256 bits, 128 bits or lower).

90% od the websites scanned are vulnerable to the known type of attack BEAST. This SSL attack takes advantage of a flaw in SSL 3.0, allowing the attacker to grab and decrypt HTTPS cookies on an end user’s browser, effectively hijacking the victim’s session.

This could be achieved either through an iframe injection or by loading the BEAST JavaScript into the victim’s browser, but BEAST is known to be especially hard to execute.

Trustworthy Internet Movement has also created a taskforce which includes various security experts who will review SSL governance issues and develop proposals aimed at fixing both SSL and the certificate authority systems.

The taskforce members include Michael Barrett, chief information security officer at PayPal; Taher Elgamal, one of the creators of the SSL protocol; Adam Langley, a Google software engineer responsible for SSL in Chrome and on the company’s front-end servers; Moxie Marlinspike, the creator of the Convergence project, which offers an alternative method for SSL certificate validation; Ivan Ristic, the creator of the Qualys SSL Labs and Ryan Hurst, chief technology officer at certificate authority GlobalSign.