Want CNET to notify you of price drops and the latest stories?

Beware of Web servers' weak security standards

Weak security standards have led to personal information being subject to interception at almost one-third of e-commerce Web servers, according to a new study.

3 min read
Weak security standards have led to personal information being subject to interception at almost one-third of e-commerce Web servers, according to a new study.

Eric Murray, a computer security consultant based in Los Gatos, Calif., wrote the study after testing numerous "secure" Web servers listed in search engines.

Murray tested the security standards at 8,081 randomly selected servers, all of which used some form of encryption to protect information such as credit card numbers. He categorizes 31.5 percent of them as "weak," meaning that they use obsolete encryption methods that have been broken by hackers or have other flaws.

Some of the weak servers include machines operated by well-known online brokerages, banks, e-tailers and government agencies.

Murray said two weak e-commerce servers, "pecos.egghead.com" and "www.onsale.com," use digital encryption "keys" that are too short to provide the best security. (Egghead and Onsale merged into a single company last November.)

Priya Mistry, a representative for Egghead, acknowledged the problem.

"Along with other initiatives, we plan to increase our current 40-bit encryption to a 128-bit encryption system in the near future," Mistry said.

Problems that earn a weak server rating in the study include:

 Encryption keys that are too short. The length of the code number, or "key," that servers use to encrypt data is crucial to keeping people's personal information safe. Longer keys are harder for intruders to crack than shorter keys.

A key length of 56 bits, used in a technique called the Data Encryption Standard, was cracked in July 1998 by the Electronic Frontier Foundation. Security consultants now recommend the use of much lengthier keys.

 Using obsolete software. Most secure servers today use a standard called SSL (Secure Sockets Layer) Version 3 or a newer protocol called TLS.

Weak servers, by contrast, use an older standard, SSL Version 2. This obsolete software allows an intruder with access to an Internet service provider to read or change data, such as credit card numbers, that consumers give to servers that are supposedly secure.

The release of SSL Version 3 software in early 1997 fixed the weaknesses of SSL Version 2. But three years later, not all secure servers have been upgraded.

 Using bad server certificates. Secure servers identify themselves to browsers using "server certificates" issued by several independent bodies. These bodies vouch for the reputation of the holder of each certificate.

Unfortunately, server certificates can expire without being renewed, and some companies make up their own "self-signed" certificates. Servers identified in the study as weak use certificates that are expired or self-signed. These certificates give consumers no independent assurance of a server operator's reputation for honesty.

Murray concedes that some Web servers have more serious security flaws than the ones analyzed in his latest study. But he said he feels the problems he is calling attention to are important because most of the servers he studied are handling personal financial information.

"It's probably a safe bet that about 50 percent of them are doing some kind of credit card authorization," Murray said.

To help consumers determine whether the secure servers they use are weak, strong or in-between, Murray invites surfers to analyze the strength of any Web server for free.

The analysis, which takes as long as 60 seconds to perform, includes a detailed breakdown of a Web server's security features. This includes the version of SSL that a server uses, the length of its encryption keys and more.

At the end of each server analysis, Murray's program delivers a pithy security verdict: weak, medium or strong. A knowledgeable person can interpret the detailed report to develop his or her own ranking system if desired.

Here is the link to Murray's test page. You might want to use this page to test various banking and e-tailing servers before you hand over your credit card number.

Consumer advocate Brian Livingston appears at CNET News.com every Friday. Do you know of a problem affecting consumers? Send info to tips@BrianLivingston.com. He'll send you a book of high-tech secrets free if you're the first to submit a tip he prints.