

Insecure websites to be named and shamed - auxbuss
http://www.bbc.co.uk/news/technology-17827919

======
acqq
A little more of the context:

[http://www.computerweekly.com/news/2240123459/RSA-2012-Trust...](http://www.computerweekly.com/news/2240123459/RSA-2012-Trustworthy-
Internet-Movement-launched-at-RSA)

[https://www.trustworthyinternet.org/blog/2012/4/25/ssl-
pulse...](https://www.trustworthyinternet.org/blog/2012/4/25/ssl-pulse-to-
make-ssl-more-secure-and-pervasive.html)

And the dynamically updated

Survey of the SSL Implementation of the Most Popular Web Sites:
<https://www.trustworthyinternet.org/ssl-pulse/>

~~~
dazbradbury
Note that the last link there allows you to enter a URL and run the tests
yourself. Probably useful for those wondering if they will be caught out.

------
scott_w
The article doesn't seem to mention this, and I can't find anything obvious on
their site, so does anyone know if these guys are going to disclose with the
vendors before publishing?

I know there are plenty of sites that won't do anything unless they're forced
to, but there are those of us that do care and would like to know before the
whole world does.

~~~
ars
If you go here it has some recent scans: <https://www.ssllabs.com/ssltest/>
and you can check your own site.

------
jefe78
I can see this going badly. I understand they probably have altruistic motives
but I can see some website owner claiming their vulnerable site was 'safe'
through obscurity but was attacked due to this public shaming. Should be
interesting.

Can anyone correct me/inform us as to whether the site owner will have a leg
to stand on in court?

~~~
jnorthrop
Most laws and regulations require a site to provide "reasonable" and
"adequate" protection. While those are loaded legal terms it is generally
interpreted in such a way that a site should be proactive enough to be updated
against known and patched vulnerabilities. It looks like TIM is reporting on
those -- I didn't see any zero-day stuff -- so, to answer your question, I
think TIM has a very defensible position if faced with a suit.

------
Lockyy
I think the BBC meant white hat, not white hack when mentioning Moxie
Marlinspike? Or am I being painfully naive and missing something?

~~~
seabee
Article's changed now - the BBC quite often make adjustments to the text after
it's first published.

------
KhalidAbuhakmeh
So let's say I bought a compromised version of SSL from a certificate vendor.
Could I legally ask for my money back? It seems like you were sold something
under false pretenses.

~~~
yuhong
Most of these SSL misconfigurations has nothing to do with certificates.

