How secure is the secure web?

**Terryphi** · 06-04-2010

There is an interesting blog post here by Opera's Security Team:

http://my.opera.com/securitygroup/bl...r-stats-part-1

A major SSL/TLS vulnerability linked to the renegotiation part of the protocol was publicized last November but the fix has been implemented on only a small proportion of servers. Opera research of 400,000 secure servers showed that only 8,593 have been patched by 30 March!

If you are running Opera 10.51 you can check if a server near you is unpatched - nudge, nudge.

**Colin** · 06-04-2010

Hmmm not very accurate, we are running:

Server Version: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8n mod_bwlimited/1.4 PHP/5.2.13

Originally Posted by :
A new version of OpenSSL (OpenSSL 0.9.8l) has been released, which removes SSL/TLS renegotiation. While this is not a fix for the for the SSL/TLS protocol vulnerability, it does mitigate against the resulting authentication gap. The new version of OpenSSL is available at http://www.openssl.org/source/.
The TLS protocol fix has been released in OpenSSL 0.9.8m

We are running 0.9.8n

**penders** · 06-04-2010

Originally Posted by Terryphi:
If you are running Opera 10.51 you can check if a server near you is unpatched...

According to Opera, all my online banks are unpatched?! More worrying, according to Opera, one of my online banks is "not secure" period (but Firefox says all is good)!?

**Terryphi** · 07-04-2010

Thanks, Colin. I have reported back to Opera developers.

**Terryphi** · 07-04-2010

penders: I did my test on Ariotek's Client Area using 10.51 and in view of what Colin has written above it obviously incorrectly identified the server as unpatched. However, I have now tested on the (as yet not officially released) Opera 10.52 and it correctly identifies the server as patched!

The online banking situation is more worrying because Opera 10.52 still identifies my online bank as unpatched. This does not surprise me in view of my previous experience with its IT department.

So... wait for Opera 10.52 before you test the secure servers.

**Terryphi** · 07-04-2010

I have now received this reply from Opera developers:

The actual detection works as it should (as you'll notice if you enable the unpatched warn or block modes), but there was a bug in the UI code controlling the indication in the security information dialog; it only worked correctly if the site has certificate problem (which happened because at the time there were no test sites with non-problem certificates). The patch apparently didn't make it into 10.51, but as you have noticed it did get into 10.52.