Re: [TLS] Eleven out of every ten SSL certs aren't valid

[Marsh Ray <marsh@extendedsubset.com>]

On 06/29/2010 03:22 PM, Ivan Ristic wrote:
> On Tue, Jun 29, 2010 at 8:13 PM, Marsh Ray<marsh@extendedsubset.com>  wrote:
>> First of all, count me as one who thinks Ivan's work is really cool.
>>
>> On 06/29/2010 01:29 PM, Ivan Ristic wrote:
>>>
>>> The problem with that view is that, while the users are experiencing
>>> all those sites with invalid certificates they are getting used to the
>>> idea that nothing bad comes from browser warnings.
>>
>> But we don't know that, do we?
>
> Of course we do, from anecdotal evidence. The worst offenders are on
> intranets/private hosts everywhere.

I may agree with you because there seems to be convincing evidence of 
that in aggregate, but that doesn't make us correct in any specific 
cases to say "this dns name resolving to an IP that listens on TCP port 
443 and presents a cert that we don't trust is 'bad' and thus an 
'offender'".

If https://employee-portal.example-bank.com/ has a cert issued by a 
trusted root calling itself "internal-ca.example-bank.com" I would be 
foolish to trust it at face value. However, that does not mean I can say 
that no one is correct in trusting it or that it in inherently "invalid".

>> I mean, I can set up a web hosting server with an HTTPS-based "webmin" (or
>> whatever admin page I might want to use). I could protect that admin login
>> using a cert issued by my own private CA. I could then v-host 1000 non-SSL
>> web sites, still using only a single shared IP address.
>>
>> Doesn't your methodology count this case as "1001 invalid certs" where, in
>> reality, everything that is supposed to work is configured correctly?
>
> I disagree that your described setup is working correctly. In my view,
> if you delegate a domain name to a server, you should either respond
> properly (with the same site) on both 80 and 443, or shut down port
> 443 if you don't need/want SSL.

I but I do want SSL in this scenario. I just can't vhost it the way I 
can non-ssl sites.

By this methodology, I can host 1000 http sites on a single IP address 
at TCP port 80, but as soon as that IP address accepts a connection on 
TCP port 443 it immediately counts as 1000 invalid certs.

I liked the suggestion about looking for https: links on the net. Scores 
could even be weighted by incoming links, a' la pagerank. If a dns name 
really has zero links to it, it's questionable whether or not its really 
relevant as a part of the web.

If your conclusion is that "97% of sites are invalid", that doesn't fit 
with my experience as a web user. But I think of a "secure SSL site" as 
those that are actively maintained and that I would visit with some 
expectation of working security. I suppose there are a nearly-unlimited 
number of sites with test and expired certs (and it seems you've gone 
out of your way to dig them up) so it doesn't seem useful to count them 
in the same bucket at the sites people do care about.

On the other hand, if your conclusion is "the vast majority of domain 
names are hosting content no one cares about enough to secure" then I 
don't think this is news to anyone!

There's something really useful in this data if we could just figure out 
the right question to ask. 42 and all that.

- Marsh