IETF Logo Mail Archive

Re: [TLS] Eleven out of every ten SSL certs aren't valid

Ivan Ristic <ivan.ristic@gmail.com> Tue, 29 June 2010 18:29 UTC

Return-Path: <ivan.ristic@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 463313A6C1E for <tls@core3.amsl.com>; Tue, 29 Jun 2010 11:29:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[AWL=0.511, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 69c8Dg56GLcn for <tls@core3.amsl.com>; Tue, 29 Jun 2010 11:29:39 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id B7DE23A6C14 for <tls@ietf.org>; Tue, 29 Jun 2010 11:29:37 -0700 (PDT)
Received: by fxm1 with SMTP id 1so1661527fxm.31 for <tls@ietf.org>; Tue, 29 Jun 2010 11:29:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=GZwLy1a/PNGBZjSwIu8SKlC4QaYQxM2iDO1NatRqlO8=; b=X7GNfAOQZ4W/eo6MIgdc5aDM6WGzULi0ONF2UwdFzvvu14ETU5gAM9HeJWrKhDSwbW b4USnAQM6M0OGhtvJG+REelA3A1RN/eyqmeN5tOiwcWPefdwNVdAjG2jCSNuSO9WXRHl XVw7v7gaQhmUzTcunBkO3cgRmo1qHN24h4jMU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=S5ZLrL6cQLNyqnlH6SEF4XEu//Z74t6y6MCfUcwRNMmppLtfwexz1eURs9y2b5TKoM CgwAGnTg7BWpDfWl9DgamN3YWMmmpubA6wT6BSNsfxLvpzGSz1uW6B5ZQkwVp2li00oi b1551gf3WD8jC1KX70zqIuZ/2TtPRD13AkWcI=
MIME-Version: 1.0
Received: by 10.239.182.207 with SMTP id r15mr457293hbg.6.1277836186220; Tue, 29 Jun 2010 11:29:46 -0700 (PDT)
Received: by 10.239.164.79 with HTTP; Tue, 29 Jun 2010 11:29:45 -0700 (PDT)
In-Reply-To: <20100629163354.GR11785@oracle.com>
References: <E1OTVaY-0004g3-OW@wintermute02.cs.auckland.ac.nz> <20100629163354.GR11785@oracle.com>
Date: Tue, 29 Jun 2010 19:29:45 +0100
Message-ID: <AANLkTim6sYWlPSRUwYHP4UfkUNkfiVQ7xbj28fF6fOmz@mail.gmail.com>
From: Ivan Ristic <ivan.ristic@gmail.com>
To: Nicolas Williams <Nicolas.Williams@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2010 18:29:42 -0000

On Tue, Jun 29, 2010 at 5:33 PM, Nicolas Williams
<Nicolas.Williams@oracle.com> wrote:
> On Tue, Jun 29, 2010 at 07:50:38PM +1200, Peter Gutmann wrote:
>> In case someone here still hasn't seen this, the subject is a reference to:
>>
>>   SSL Certificates In Use Today Aren't All Valid
>>   http://www.esecurityplanet.com/features/article.php/3890171/SSL-Certificates-In-Use-Today-Arent-All-Valid.htm
>>
>> which posits that only 3% of SSL certs in use today are valid.  The figures
>> seem a bit suspicious though, for example they claim 23 million SSL sites
>> while the same article quotes Netcraft as claiming there are 1.5 million SSL
>> certs in use (the Netcraft figures may be for CA-issued certs only, since they
>> quote Verisign as a percentage of that total).  Still, 3% seems pretty low,
>> could this be due to something like virtual hosting and the client not sending
>> the hostname, thereby getting the wrong cert?  Even with that though, I
>> wouldn't have expected a 97% invalidity rate.
>
> The subject line is very funny, but, seriously, this doesn't bother me
> in the least.  Why?  Because anyone can put up a site with an invalid,
> self-signed, or might-as-well-be-self-signed-because-no-one-uses-its-
> root-CA cert.  Therefore the number of sites with such certs is utterly
> and completely _meaningless_ [m _e _a _n _i _n _g _l _e _s _s _].
>
> What matters is that the sites that ought to be using HTTPS with valid
> certs are[*].  I'm talking about banks, payment sites, shopping sites
> that accept credit cards, etcetera.  By and large those appear to be
> valid most if not all the time I, as a user, need them to be.  I'd like
> to see a study of such sites' TLS and PKIX usage.
>
> So I'd phrase this as 9-out-of-10 sites that need to have valid certs.

The problem with that view is that, while the users are experiencing
all those sites with invalid certificates they are getting used to the
idea that nothing bad comes from browser warnings. Then, one day, when
they're accessing their bank's web site from an insecure network, they
ignore the one warning they shouldn't and get owned by the MITM guy.


> Nico
>
> [*]  Ignoring, for lack of a better alternative, the fact that browsers
>     ship with such long lists of trust anchors that we might as well
>     not even try to pretend we're using a PKI.
> --
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

-- 
Ivan Ristic
ModSecurity Handbook [http://www.modsecurityhandbook.com]
SSL Labs [https://www.ssllabs.com/ssldb/]

v2.23.0 | Report a Bug | By Email