Research on the SSL/TLS Ecosystem

Every day, we use Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to secure our Internet transactions such as banking, e-mail and e-commerce. Along with a public key infrastructure (PKI), they allow our computers to automatically verify that our sensitive information (e.g., credit card numbers and passwords) are hidden from eavesdroppers and sent to trustworthy servers.

In mid-April, 2014, a software vulnerability called Heartbleed was announced. It allows malicious users to capture information that would allow them to masquerade as trusted servers and potentially steal sensitive information from unsuspecting users. The PKI provides multiple ways to prevent such an attack from occurring, and we should expect Web site operators to use these countermeasures.

In this study, we found that the overwhelming majority of sites (more than 73%) did not do so, meaning visitors to their sites are vulnerable to attacks such as identify theft. Further, the majority of sites that attempted to address the problem (60%) did so in a way that leaves customers vulnerable.

Why should I care?
When you visit sites that did not properly address the Heartbleed vulnerability (at least 55,000 in our study), you may unsuspectingly send your sensitive information to an attacker who will steal your data. Your Web browser will not warn you about this, and it will be nearly impossible for you to tell that this has even happened.

What can I do about this?
If you use a site on our list, we encourage you to contact the site administrators about the problem. They need to revoke their vulnerable certificates and reissue new ones. We will periodically refresh our results and post them on this page.

How do I learn more about this?
Please follow the link to technical details. You can also read our full paper on the topic, to be published at the 2014 ACM Internet Measurement Conference.

How can I help make the Web more secure?
Another weak link in the security of our online transactions is Web browsers, which may not always download the information required to tell if a Web site is trusted. We are developing a browser plugin that you can run to help us tell if this is the case. If you are interested, fill out this form and we will e-mail you when the extension is available.