TIM’s report is a part of its SSL Pulse, a project that scans the top 1 million websites tracked by Alexa using technology developed by security vendor Qualys to discover the security strength of HTTPS sites. Says PC World:
SSL Pulse checks what protocols are supported by the HTTPS-enabled websites (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, etc.), the key length used for securing communications (512 bits, 1024 bits, 2048 bits, etc.) and the strength of the supported ciphers (256 bits, 128 bits or lower).
An algorithm is used to interpret the scan results and assign a score between 0 and 100 to each HTTPS configuration. The score is then translated into a grade, with A being the highest (over 80 points).
Half of the 200,000 websites (out of the 1 million) supporting HTTPS received an A for their secure configurations (modern protocols, strong ciphers and long keys). But only 10 percent of them are really secure. Over 148,000 HTTPS websites were found to be vulnerable to the BEAST attack, “which can be used to decrypt authentication tokens and cookies from HTTPS requests.”
SSL Pulse also found that over 13 percent of the HTTPS websites support insecure renegotiation of SSL connections. That can “lead to man-in-the-middle attacks that can compromise SSL-protected communications between users and vulnerable servers,” says PC World. That can be a problem for high value websites like those of financial institutions.