Re: [certid] SSL Labs
Ivan Ristic <ivan.ristic@gmail.com> Fri, 05 November 2010 10:50 UTC
Return-Path: <ivan.ristic@gmail.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id B15DF3A6863 for <certid@core3.amsl.com>;
Fri, 5 Nov 2010 03:50:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5
tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E3djf1Uz+Z-i for
<certid@core3.amsl.com>; Fri, 5 Nov 2010 03:50:52 -0700 (PDT)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com
[209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id 4B94D3A684B for
<certid@ietf.org>; Fri, 5 Nov 2010 03:50:52 -0700 (PDT)
Received: by qyk31 with SMTP id 31so2295392qyk.10 for <certid@ietf.org>;
Fri, 05 Nov 2010 03:51:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:received:date:message-id
:subject:from:to:content-type; bh=iiInSuAQbM3ReSR5hk31l3F4JyhTu1N/dj7I4yBgIdE=;
b=DltO5rg+yjTEN1YAmEz/kIDZc2LEyPSGapX8FPXOqwDmqstlrmNlqttj5NFHanQOBl
yl5VvBNOoViYGPJ2TdlUTnoy2bYxDWxh+ki526S96Yv7eyXCTWlecByYOQH0NfwqEzmU
07lACL+6kQggDfRnHGYDQagxCnqoIlEBo+cEY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;
b=cr8Sl1wS9q1uKgnbHoov3z8KGlnB2llQppGg9rlrjlx+P48zxq+9DOsKaB09RnKzA7
y0RNJa7vKIEtlthOTSamOSxhWlKdARsJUWURMnl6N7L9tELzf0g5dN4MUTAPDuNmakaD
bZZWl92esl/z/n2WAsS9ahJXOO9jtatb/ANTg=
MIME-Version: 1.0
Received: by 10.229.249.3 with SMTP id mi3mr1778002qcb.287.1288954263887;
Fri, 05 Nov 2010 03:51:03 -0700 (PDT)
Received: by 10.229.26.195 with HTTP; Fri, 5 Nov 2010 03:51:03 -0700 (PDT)
Date: Fri, 5 Nov 2010 10:51:03 +0000
Message-ID: <AANLkTimrGRW7mFfhDxSVaZTTb+ZagxvaJ5YPAUQmjySN@mail.gmail.com>
From: Ivan Ristic <ivan.ristic@gmail.com>
To: certid@ietf.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [certid] SSL Labs
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Nov 2010 10:50:53 -0000
[I apologise for not replying to the original email(s), but I've just subscribed to this list.] JeffH wrote: > That explanation hints that most all the certs represented in the dataset would > be "valid" certs. However, there's ~150k more entries in the dbase than > the ~720K valid certs he observed. Though, there's ~150k apparently "self-signed" > certs in the dbase, so perhaps that's what's filling out the dbase. The term "potentially valid" would be more accurate. The purpose of the survey was to investigate how is an average SSL server configured and for that we wanted to look at those servers that someone at least tried to configure properly. There are so many invalid certificates out there, so taking the configuration of all SSL servers would pollute the data. I defined "potentially valid" as residing on a domain name that matches the certificate. Trust was not a factor, and that's why there are self-signed certificates in the database. In addition, there's only one certificate per domain name and IP address. The 720K certificates were obtained from the 119M data set of domain name registrations. The additional 150K were obtained by looking at the Alexa's top 1M sites, as well as by data mining web site names from the certificates we obtained. The fact that there's about 150K self-signed certificates is a coincidence. -- Ivan Ristic ModSecurity Handbook [http://www.modsecurityhandbook.com] SSL Labs [https://www.ssllabs.com/ssldb/]
- Re: [certid] SSL Labs Ivan Ristic