Pulse has evolved from SSL Lab, the brainchild of Qualys CEO Philippe Courtot and SSL expert Ivan Ristic. It is effectively a non-profit, vendor neutral taskforce of the brightest and best: Michael Barratt, CISO at Paypal; Taher Elgamal, one of the creators of SSL; Ryan Hurst, CTO at GMO GlobalSign; Adam Langley, staff software engineer at Google working on SSL/TLS with Chrome; Moxie Marlinspike, founder of Whisper Systems; and Ivan Ristic. Technically, it is part of the Trustworthy Internet Movement (TIM); but keeping its finger on the pulse is what it's all about.
Pulse is interesting for two reasons, said Taheer Elgamel: "Strategic and collaborative. I get a lot of calls saying that SSL is broken; but that's because people don't understand the difference between a structural and an implementation problem." Most of the SSL problems are down to an installation issue, and Elgamel believes that Pulse can address both the perception and the issue. "And in order to solve problems for the user, we need to collaborate as well as compete. Today the industry is almost entirely competitive - Pulse will help address that."
True to a concept dear to Qualys founder Philippe Courtot's heart, the use of the Pulse website, its facilities and its findings are free and open. These facilities include the ability to scan any 'trusted' website to analyse the true state of its SSL security. Pulse regularly scans the top 200,000 SSL-enabled websites to monitor any change: and its findings leave a lot to be desired. Currently, only ten percent of secure websites have a sound and safe implementation of SSL. Ristic expects that to increase fairly rapidly as a reaction to the BEAST attacks. This will mean that half of the websites will gain an 'A' rating - but that still means that 50 percent are poor.
Is it effectively another tool for hackers - the ability to find insecure sites? "Don't worry about hackers," said Courtot. "They already know the weak sites." It is the good guys and the visitors who think they're using SSL security that don't realise that they are not secure.
Ristic admitted he has had both good and bad reactions to the project. "The internet has evolved over the last 18 years," he said, "but SSL stood still. We thought it worked, so we left it alone. Today, many companies would rather we change our message than they change their implementation. It's only when we show them how easy it is to get an 'A' rating that they take notice." Pulse is a form of naming and shaming; and its announcement at Infosecurity Europe is a way of telling the industry, 'look out, because if you're insecure, your visitors can find out." Ristic sees the approach as more a Hall of Fame than a Hall of Shame. And for that reason alone we may see a 'Pulse 'A' certificate'appearing on the most secure websites with the most secure implementation of SSL.