Are Web Sites as Secure as They Seem?

Up to 18 percent of servers using Secure Socket Layer encryption technology for Web site encryption are potentially vulnerable to hackers, with the problem being far more pronounced in Europe than in the U.S., according to the latest monthly survey of Web server usage conducted by Netcraft.

SSL is a common protocol for managing the security of message transmission on the Internet. Browser-based SSL technology is most secure if the server's public key, used to guarantee the authenticity of a transaction, is at least 1024 bits long.

The use of shorter keys makes it easier for hackers to break the key and impersonate the server, the Bath, England-based company says in a survey posted on its Web site.

Currently, about 60 percent of all Web sites using the SSL technology are based in the U.S. and approximately 15.1 percent of those sites are using short keys, Netcraft says.

World Wide Problem

The proportion of Web sites using potentially vulnerable SSL keys becomes even larger outside of the U.S., the study found. In France, 41.1 percent of SSL sites use the shorter keys, followed by 31.9 percent in Spain, and 26.5 percent in the U.K., Netcraft says.

In Canada, 13.5 percent of SSL Web sites are using short keys, the study says.

Although the U.S. government has eased export restrictions on strong cryptography, earlier restrictions are still having an effect on Net security today, says Netcraft.

"The U.S. export legislation and locally acted legislation to restrict the use of cryptography in countries with repressive or eccentric administrations, does still cast a shadow over the security of e-commerce even years after the acts have been repealed," Netcraft says.

Because it is not obvious to the end user what a server's choice of cryptography is or how many bits are being used in a Web site's SSL encryption key, there is little pressure from end users to improve such security, the survey says. Presently, lock symbols are displayed in browser windows during SSL sessions to indicate that a site is secure, no matter what the length of the key is.

Netcraft suggests that browser developers could help improve future security by displaying a graded indication of key length.