Infosec 2012: Internet security body to tackle SSL problems

The Trustworthy Internet Movement (TIM) is to tackle implementation and governance internet communication protocol (SSL) as its first project.

The announcement at Infosec Europe 2012 in London comes just two months after the new industry body, aimed at bringing the global security community together to better secure the internet, was announced at the RSA Conference 2012 in San Francisco. 

TIM also announced the launch of a new website, SSL Pulse, an online index which tracks the progress of how well SSL is implemented across the top web sites.

The non-profit vendor-neutral organisation has formed a taskforce of world-renowned security experts to guide and co-ordinate the work on SSL.

"There are two basic issues with SSL: implementation and governance," said Philippe Courtot, TIM founder member and CEO at security firm Qualys.

The taskforce, which includes one of the SSL protocol creators Taher Elgamal, will develop proposals aimed at making SSL pervasive on the internet.

The plan is to first take implementation issues, then review the known governance issues and come up with solutions, said Courtot.

Elgamal said nothing can be safe forever. "It is important to update our technology and keep up with threats to stay safe. I am pleased to revisit SSL security and help improve it," he said.

Security is not a "one shot deal", but an on-going process, said Elgamal. TIM is attractive because collaboration is more important than competition in the security industry now, he added.

SSL Pulse is a continuous and global dashboard for monitoring the quality of SSL across top sites and provides a reference point for site owners as well as their partners in the supply chain.

SSL Pulse is supported by the assessment technology of SSL Labs, set up by task force member director of engineering at Qualys Ivan Ristic to audit the SSL ecosystem.

Ristic said he set up SSL Labs three years ago to help raise awareness and provide tools and documentation to web site owners so they can improve their SSL implementations.

SSL Pulse provides a continually-updated summary of the efforts of SSL Labs and will increase in value as trends emerge in time, said Ristic.

Even the worst-configured sites can improve their security status by spending as little as half an hour reconfiguring, he said.

The most recent analysis of data reveals that only 10% of the world's most popular websites are really secure.

About 50% have good implementations, but have further vulnerabilities or may not have updated to the latest versions of SSL known as TLS, said Ristic.

Courtot said SSL Pulse is a useful tool for CIOs to be able to see how secure their organisation's websites are and either congratulate security teams or motivate them to fix SSL configurations.

The site also provides in a way that is easy to understand, the same insight to CIOs for their own websites and others in their supply chain that cyber criminals have had for years.

"SSL is one of the fundamental elements of internet security; we can make quick headway by enabling organisations to implement SSL correctly," said Courtot.

"Making SSL pervasive on the internet is a must in order for the web to become a safer place," he said.

The next step will be tackling issues around SSL governance to fix the Certificate Authority (CA) system, but that will be a lot more challenging, he said.

Courtot said at this time there were no other projects lined up for TIM. "We prefer to tackle one project at a time and move from success to success rather than take on too much."