[HTTPS-Everywhere] fyi: OTA statement on: Always On TLS/SSL
=JeffH
Jeff.Hodges at KingsMountain.com
Tue Mar 6 14:13:49 PST 2012
https://otalliance.org/resources/AOSSL/
Always On SSL (Secure Sockets Layer)
Trust and consumer confidence is the foundation upon which the Internet has
been built. A core element of that confidence rests on the protection provided
by SSL certificates from trusted Certificate Authorities.
SSL/TLS (sometimes referred to as HTTPS) delivers website and server identity
authentication as well as encryption of data in transit. Today, it is estimated
that more than 4.5 million sites are using SSL certificates issued by a
Certificate Authority to protect web pages with sensitive information such as
logins and credit card numbers.
Many organizations use the SSL/TLS protocol to encrypt the authentication
process when users log in to a website, but do not encrypt subsequent pages
during the user’s session. Unfortunately this intermittent use of SSL
protection is not adequate security considering today’s online threats.
With the rise of Web 2.0 and social networking, people are spending more time
online and logged in, and they are communicating much more than just their
credit card numbers. Cybercriminals today are targeting consumers using an
attack method called sidejacking that takes advantage of consumers visiting
unencrypted HTTP web pages after they have logged into a site. Sidejacking
allows hackers to intercept cookies (typically used to retain user specific
information such as username, password, and session data) when they are
transmitted without the protection of SSL encryption.
There are several software tools written to support sidejacking activities, but
none are more infamous than Firesheep. An extension for the Firefox Web browser
developed by Eric Butler and released in October 2010, Firesheep allow hackers
with no programming skills to easily capture usernames, passwords, browsing
history, and other private information from unsuspecting users.
Online Trust Alliance (OTA) is calling on the security, business and
interactive advertising communities to adopt Always On SSL (AOSSL), the
approach of using SSL/TLS across your entire website to protect users with
persistent security, from arrival to login to logout. Always On SSL is a
proven, practical security measure that should be implemented on all websites
where users share or view sensitive information.
Always On SSL is supported as a best practice by leading industry players
including Google, Microsoft, PayPal, Symantec, Facebook and Twitter. Learn
their stories in the OTA white paper Protecting Your Website With Always On SSL
and from their participation in a panel discussion at the RSA Conference 2012.
OTA encourages all websites to consider implementing Always On SSL. It is
incumbent on all of us to work together to implement web security best
practices to protect consumers from harm.
RSA 2012 Presentation
<https://otalliance.org/resources/AOSSL/RSAC%202012%20Panel%20-%20Always%20On%20SSL_2_23.pdf>
Always On SSL White Paper
<https://otalliance.org/resources/AOSSL/OTA_Always-On-SSL-White-Paper.pdf>
Video of RSA AOSSL Session (March 1) - Coming Soon
SSL Server Test
<https://www.ssllabs.com/ssldb/>
---
end
More information about the HTTPS-everywhere
mailing list