One in three supposedly secure ebusiness servers are using software with known security weaknesses, and European sites are the worst offenders, according to a survey.

Eric Murray, a consulting security architect based in the US, found that in a random sample of more than 8000 web servers running the SSL protocol, 32 per cent were "dangerously weak".

Murray explained that these weak servers either support only the flawed SSLv2 protocol, use weak encryption, or have expired or self-signed digital certificates.

"These weaknesses make the transactions that are protected by these servers easy to attack with modern key-cracking and/or hacking attacks," said Murray, who added that there is no good reason for sites not to address the problems he has highlighted.

There is no technical or legal reason to limit secure servers to using only SSLv2, since SSLv3, which corrects known weaknesses, is available. Since US export regulations were relaxed in January to allow the export of 128bit cryptographic products, there is also no reason to support only 40bit cipher suites or 512bit RSA keys.

The survey revealed that security of European servers is particularly weak, because many still used web servers obtained before the export restriction were relaxed. This was found to be particularly the case for sites running Microsoft's Internet Information Server rather than those running Apache.

The fact that many sites are vulnerable for no good reason is, according to Murray, explained by a tendency for businesses not to update their security software until websites become breached.

"Many sites don't bother to update or patch software, even when it is readily available, until they're forced to do so because someone has broken in. Until then, they are still open to well-known vulnerabilities," said Murray.

Matt Tomlinson, business development director at IT security consultancy MIS Corporate Defence, said the survey is one of the most comprehensive he had come across, and said the figure of a third of so-called secure websites actually being insecure matched the experience of MIS in the UK.

"Even if a web server is secure that is not the end of the issue. There is also the possibility of backdoors into a network, and hackers will not always go to the obvious point when they launch attacks," said Tomlinson.

See also:

Apache wins application server battle

Apache is still by far the most popular internet application server worldwide, with 58.82 per cent of all active machines running the software last month, an increase of 0.33 per cent on January.  05 Mar 2001

Credit card details exposed by website

Details of thousands of credit cards were left temporarily exposed on the internet by a UK video retailer after it upgraded its website 10 days ago.  23 Oct 2000

Security software sales soar

Fuelled by the rising need to secure ebusiness systems, the worldwide security software market will grow by 22 per cent a year, according to a survey published this week.  04 Oct 2000

US to update ageing encryption standard

After three years of competition, a technique to replace the US government backed Data Encryption Standard algorithm has been selected.  03 Oct 2000

Fuel protest hacker Herbless quits

EXCLUSIVE: Herbless, the hacker who defaced the websites of HSBC, Legoland and 450 others as part of the fuel protest in the last month, has announced his sudden exit from the hacking scene.  21 Sep 2000

HSBC internet sites hacked

HSBC's UK internet site and three of its international sites have been hacked as part of an ongoing campaign in support of the fuel protest.  20 Sep 2000

UK gets to grips with ecommerce security

The cost of implementing an integrated security policy across all levels of an ebusiness is more than offset by the amount of damage caused by security breaches.  13 Sep 2000

Websites lock out cyber-vandals

Websites are getting tooled-up to stop cyber-vandals defacing their homepages.  08 Sep 2000

Cyber-vandal runs riot in pro-Napster spree

Cyber-vandals are voicing support for Napster, the music file sharing service, as part of a campaign to deface websites across the world.  08 Sep 2000

Security isn't the only flaw

Recent high profile internet security breaches tell us more about corporate IT in general than specific problems with the web.  31 Aug 2000

Financial site tightens security after warning

A startup US accounting website has tightened its security measures after a bug expert uncovered several vulnerabilities which could leave customer details exposed.  31 Aug 2000

Hacked websites 'didn't read the manual'

Microsoft has blamed administrator error, rather than a bug in its software, for leaving hundreds of websites running SQL server open to attack this week.  18 Aug 2000

Hacker attacks UK government websites

Several UK government websites have been defaced by a hacker protesting about the dangers of smoking.  17 Aug 2000

Woolies forced to shut online store

High street veteran Woolworths has been forced to temporarily close its online store after customer credit card and personal details were exposed on its website.  11 Aug 2000

Barclays online bank suffers another blow

Barclays bank has suffered another embarrassing incident, calling the security of its online banking service into question yet again.  11 Aug 2000

European firms getting security wrong

Security has finally become an item on the corporate agenda but many companies are taking the wrong approach to addressing the issue, according to research by IDC.  21 Jul 2000

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!