Are those servers really safe?

A study finds that one-third of so-called secure Web sites are actually "dangerously" vulnerable.

Published August 8, 2000 6:13PM (EDT)

Here's just the bit of news that the beleaguered "e-tailing" sector didn't need right now.

A new study says credit card numbers and passwords stored on many "secure" Web servers are vulnerable to hacking.

Eric Murray, an independent security consultant and cryptology expert, tested a random sample of 8,081 secure Web servers and found that 32 percent of them are "dangerously weak." "When you do a secure transaction on the Net, there's a good chance that it's not all that secure," says Murray, noting that many sites offer only a "kid sister" level of security for transactions, as in a "keeping your kid sister out of your diary" level of security.

The study set out to test servers using the secure-socket-layer protocol, which is used by many sites that conduct credit card transactions and maintain customer passwords, such as online retailers, banks, bill-paying services and brokerages.

The sites with weak security support only what Murray calls the flawed and now outdated SSL v2 protocol, use too small encryption key sizes (primarily because of old U.S. export control limitations that are no longer in force) or have "self-signed" or expired certificates -- which may mislead users as to how secure a site really is.

In other words, now that we've all gotten used to thinking nothing of giving our credit card to a site to buy something, we may have new reason to worry.


By Katharine Mieszkowski

Katharine Mieszkowski is a senior writer for Salon.

MORE FROM Katharine Mieszkowski


Related Topics ------------------------------------------