IETF Logo Mail Archive

Re: [TLS] Eleven out of every ten SSL certs aren't valid

Marsh Ray <marsh@extendedsubset.com> Tue, 29 June 2010 22:20 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 76B703A659B for <tls@core3.amsl.com>; Tue, 29 Jun 2010 15:20:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.841
X-Spam-Level:
X-Spam-Status: No, score=-0.841 tagged_above=-999 required=5 tests=[AWL=0.269, BAYES_05=-1.11]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2vK4K5ptlCfR for <tls@core3.amsl.com>; Tue, 29 Jun 2010 15:20:54 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id F421E3A68AB for <tls@ietf.org>; Tue, 29 Jun 2010 15:20:53 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OTjAu-0009PQ-Jj; Tue, 29 Jun 2010 22:21:04 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 057766331; Tue, 29 Jun 2010 22:21:01 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/BjCp6q3JbsUcbwvZPAhf2vrskm4Ght38=
Message-ID: <4C2A71CE.7000604@extendedsubset.com>
Date: Tue, 29 Jun 2010 17:21:02 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100423 Thunderbird/3.0.4
MIME-Version: 1.0
To: Ivan Ristic <ivan.ristic@gmail.com>
References: <E1OTVaY-0004g3-OW@wintermute02.cs.auckland.ac.nz> <20100629163354.GR11785@oracle.com> <AANLkTim6sYWlPSRUwYHP4UfkUNkfiVQ7xbj28fF6fOmz@mail.gmail.com> <4C2A45C9.3010608@extendedsubset.com> <AANLkTinHVJGrnBl93qCfrrbHGlTP_yEMX8PMRduSIKgd@mail.gmail.com> <4C2A6841.7080607@extendedsubset.com> <AANLkTinQDI1iNMTSnOqCuzchiFzIcwzjV9kYgrRkx7IT@mail.gmail.com>
In-Reply-To: <AANLkTinQDI1iNMTSnOqCuzchiFzIcwzjV9kYgrRkx7IT@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2010 22:20:56 -0000

On 06/29/2010 04:44 PM, Ivan Ristic wrote:
> On Tue, Jun 29, 2010 at 10:40 PM, Marsh Ray<marsh@extendedsubset.com>
> wrote:
>>
>> ...
>>
>> I liked the suggestion about looking for https: links on the net.
>> Scores could even be weighted by incoming links, a' la pagerank. If
>> a dns name really has zero links to it, it's questionable whether
>> or not its really relevant as a part of the web.
>
> Isn't that exactly what we'd be getting from looking at the most
> popular 1 million domain names?

Perhaps, but I would want a precise definition of "most popular" before 
agreeing to the "exactly". :-)

>> On the other hand, if your conclusion is [...]
>
> Well, that's the thing. I didn't make any conclusions, but there are
> several people on this list who assumed I did.

You've done something cool and ambitious and given some numbers to the 
press. It's fair to expect people to look at it very closely for stated 
and implied interpretations. (This is partly why it's rare to see 
researchers publish raw data with no analysis.)

Not to mention that the numbers by themselves raise some good questions 
for the SSL/TLS community. People want to discuss it with you.

 From TFA:
> "Only about 3.17 percent of the domain names matched," Ristic said.
> "So we have about 22 million SSL servers with certificates that are
> completely invalid because they do not match the domain name on which
> they reside."

This is where I think there's some room for legitimate discussion about 
the numbers as presented.

Is it correct to count a server reached from a misdirected DNS entry as 
"completely invalid" SSL?

According to the RFCs as I understand them, we can only say (an 
otherwise well-formed) cert is invalid in the context of a protocol, an 
requested identity, a set of trusted root certs, a time of validation, 
etc. We all know there's a good deal of variation in clients' trusted 
roots. Revocation data could be another interesting contextual variable.

- Marsh

v2.23.0 | Report a Bug | By Email