The websites of eBay, PayPal, Microsoft and possibly Facebook are among scores vulnerable to an almost three-year-old TLS/SSL renegotiation flaw.
The flaw allows credentials to be stolen from encrypted data streams.
The vulnerable websites were posted on a list operated by Linux programmer Kai Engert in an effort to highlight that the SSL flaw is still active.
However Engert claims the flaw can only be fixed within web servers, not user web browsers, meaning visitors have remained exposed.
“Several major sites, even banking sites, still use a broken server configuration and are likely vulnerable to man-in-the-middle-attacks,” Engert wrote on the blog.
“What happened if a site administrator made a mistake, and accidentally used the wrong configuration? The site would still work, but the attack would work too, and nobody might notice.
“I hereby call the corporations who run those major sites, to increase security on the web, by eliminating these risks by upgrading to software that uses the fixed protocol RFC 5746.”
The “arbitrary” list is updated every three hours.
Uses can check whether their browsers support the SSL renegotiation fix at Engert’s website.