Security specialist discovers weak encryption on major websites
Mobile threat defense provider, Corrata, has announced the discovery of poor encryption practices on a number of major websites including Irish telecoms company Eir and German newspaper Bild. In line with its responsible disclosure practice, Corrata contacted the owners of the websites concerned and the weaknesses have now been remedied. However it is likely that other websites contain similar vulnerabilities and Corrata urges website owners to make sure that their encryption is in line with industry best practice.
Today the vast majority of websites use encryption to ensure that sensitive data exchanges between users and the website remain confidential. This confidentiality depends on the use of an internet protocol known as Transport Layer Security (TLS). HTTPS is the implementation of TLS used when browsing websites. Its use is usually signalled by the appearance of the lock symbol at the top left hand corner of the browser address bar.
However not all website implementations of https are equally secure. Some websites use out of date versions of the protocol which are known to be vulnerable to hacking. This is particularly risky when using Wi-Fi networks because the traffic passing between a mobile phone and a Wi-Fi access point can easily be spied upon. Internet users rely on the fact that sensitive data is transmitted in encrypted form to combat such spying. However where weak encryption is used it will fail to protect sensitive data such as passwords, financial information and other confidential data.
The specific encryption weakness discovered by Corrata related to a misconfiguration of the sites’ web servers to favor an old insecure cipher called RC4 when accessed using iOS devices (iPhones and iPads). Vulnerabilities in this cipher make it vulnerable to hacking and website owners have been strongly advised not to use it for at least ten years. Devices with Corrata’s mobile threat defense installed automatically detect these flaws and prevent users’ data being stolen. It is these routine checks which brought the vulnerability to light