Re: [TLS] Eleven out of every ten SSL certs aren't valid

[Nicolas Williams <Nicolas.Williams@oracle.com>]

On Tue, Jun 29, 2010 at 07:50:38PM +1200, Peter Gutmann wrote:
> In case someone here still hasn't seen this, the subject is a reference to:
> 
>   SSL Certificates In Use Today Aren't All Valid
>   http://www.esecurityplanet.com/features/article.php/3890171/SSL-Certificates-In-Use-Today-Arent-All-Valid.htm
> 
> which posits that only 3% of SSL certs in use today are valid.  The figures
> seem a bit suspicious though, for example they claim 23 million SSL sites
> while the same article quotes Netcraft as claiming there are 1.5 million SSL
> certs in use (the Netcraft figures may be for CA-issued certs only, since they
> quote Verisign as a percentage of that total).  Still, 3% seems pretty low,
> could this be due to something like virtual hosting and the client not sending
> the hostname, thereby getting the wrong cert?  Even with that though, I 
> wouldn't have expected a 97% invalidity rate.

The subject line is very funny, but, seriously, this doesn't bother me
in the least.  Why?  Because anyone can put up a site with an invalid,
self-signed, or might-as-well-be-self-signed-because-no-one-uses-its-
root-CA cert.  Therefore the number of sites with such certs is utterly
and completely _meaningless_ [m_e_a_n_i_n_g_l_e_s_s_].

What matters is that the sites that ought to be using HTTPS with valid
certs are[*].  I'm talking about banks, payment sites, shopping sites
that accept credit cards, etcetera.  By and large those appear to be
valid most if not all the time I, as a user, need them to be.  I'd like
to see a study of such sites' TLS and PKIX usage.

So I'd phrase this as 9-out-of-10 sites that need to have valid certs.

Nico

[*]  Ignoring, for lack of a better alternative, the fact that browsers
     ship with such long lists of trust anchors that we might as well
     not even try to pretend we're using a PKI.
--