Re: [TLS] Eleven out of every ten SSL certs aren't valid
Ivan Ristic <ivan.ristic@gmail.com> Tue, 29 June 2010 18:29 UTC
Return-Path: <ivan.ristic@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 463313A6C1E for <tls@core3.amsl.com>; Tue, 29 Jun 2010 11:29:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[AWL=0.511, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 69c8Dg56GLcn for <tls@core3.amsl.com>; Tue, 29 Jun 2010 11:29:39 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id B7DE23A6C14 for <tls@ietf.org>; Tue, 29 Jun 2010 11:29:37 -0700 (PDT)
Received: by fxm1 with SMTP id 1so1661527fxm.31 for <tls@ietf.org>; Tue, 29 Jun 2010 11:29:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=GZwLy1a/PNGBZjSwIu8SKlC4QaYQxM2iDO1NatRqlO8=; b=X7GNfAOQZ4W/eo6MIgdc5aDM6WGzULi0ONF2UwdFzvvu14ETU5gAM9HeJWrKhDSwbW b4USnAQM6M0OGhtvJG+REelA3A1RN/eyqmeN5tOiwcWPefdwNVdAjG2jCSNuSO9WXRHl XVw7v7gaQhmUzTcunBkO3cgRmo1qHN24h4jMU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=S5ZLrL6cQLNyqnlH6SEF4XEu//Z74t6y6MCfUcwRNMmppLtfwexz1eURs9y2b5TKoM CgwAGnTg7BWpDfWl9DgamN3YWMmmpubA6wT6BSNsfxLvpzGSz1uW6B5ZQkwVp2li00oi b1551gf3WD8jC1KX70zqIuZ/2TtPRD13AkWcI=
MIME-Version: 1.0
Received: by 10.239.182.207 with SMTP id r15mr457293hbg.6.1277836186220; Tue, 29 Jun 2010 11:29:46 -0700 (PDT)
Received: by 10.239.164.79 with HTTP; Tue, 29 Jun 2010 11:29:45 -0700 (PDT)
In-Reply-To: <20100629163354.GR11785@oracle.com>
References: <E1OTVaY-0004g3-OW@wintermute02.cs.auckland.ac.nz> <20100629163354.GR11785@oracle.com>
Date: Tue, 29 Jun 2010 19:29:45 +0100
Message-ID: <AANLkTim6sYWlPSRUwYHP4UfkUNkfiVQ7xbj28fF6fOmz@mail.gmail.com>
From: Ivan Ristic <ivan.ristic@gmail.com>
To: Nicolas Williams <Nicolas.Williams@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2010 18:29:42 -0000
On Tue, Jun 29, 2010 at 5:33 PM, Nicolas Williams <Nicolas.Williams@oracle.com> wrote: > On Tue, Jun 29, 2010 at 07:50:38PM +1200, Peter Gutmann wrote: >> In case someone here still hasn't seen this, the subject is a reference to: >> >> SSL Certificates In Use Today Aren't All Valid >> http://www.esecurityplanet.com/features/article.php/3890171/SSL-Certificates-In-Use-Today-Arent-All-Valid.htm >> >> which posits that only 3% of SSL certs in use today are valid. The figures >> seem a bit suspicious though, for example they claim 23 million SSL sites >> while the same article quotes Netcraft as claiming there are 1.5 million SSL >> certs in use (the Netcraft figures may be for CA-issued certs only, since they >> quote Verisign as a percentage of that total). Still, 3% seems pretty low, >> could this be due to something like virtual hosting and the client not sending >> the hostname, thereby getting the wrong cert? Even with that though, I >> wouldn't have expected a 97% invalidity rate. > > The subject line is very funny, but, seriously, this doesn't bother me > in the least. Why? Because anyone can put up a site with an invalid, > self-signed, or might-as-well-be-self-signed-because-no-one-uses-its- > root-CA cert. Therefore the number of sites with such certs is utterly > and completely _meaningless_ [m _e _a _n _i _n _g _l _e _s _s _]. > > What matters is that the sites that ought to be using HTTPS with valid > certs are[*]. I'm talking about banks, payment sites, shopping sites > that accept credit cards, etcetera. By and large those appear to be > valid most if not all the time I, as a user, need them to be. I'd like > to see a study of such sites' TLS and PKIX usage. > > So I'd phrase this as 9-out-of-10 sites that need to have valid certs. The problem with that view is that, while the users are experiencing all those sites with invalid certificates they are getting used to the idea that nothing bad comes from browser warnings. Then, one day, when they're accessing their bank's web site from an insecure network, they ignore the one warning they shouldn't and get owned by the MITM guy. > Nico > > [*] Ignoring, for lack of a better alternative, the fact that browsers > ship with such long lists of trust anchors that we might as well > not even try to pretend we're using a PKI. > -- > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- Ivan Ristic ModSecurity Handbook [http://www.modsecurityhandbook.com] SSL Labs [https://www.ssllabs.com/ssldb/]
- Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
- [TLS] Eleven out of every ten SSL certs aren't va… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
- Re: [TLS] Eleven out of every ten SSL certs aren'… Adam Langley
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
- Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
- Re: [TLS] Eleven out of every ten SSL certs aren'… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Eleven out of every ten SSL certs aren'… Rob P Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Joshua Davies
- Re: [TLS] Eleven out of every ten SSL certs aren'… Yoav Nir
- Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
- Re: [TLS] Eleven out of every ten SSL certs aren'… Rob P Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nikos Mavrogiannopoulos
- Re: [TLS] Eleven out of every ten SSL certs aren'… Bill Daskaluk
- Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
- Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
- Re: [TLS] Eleven out of every ten SSL certs aren'… Jeffrey A. Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Bruno Harbulot
- Re: [TLS] Eleven out of every ten SSL certs aren'… Bill Frantz
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Bruno Harbulot
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
- Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
- Re: [TLS] Eleven out of every ten SSL certs aren'… Florian Weimer
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Bruno Harbulot
- Re: [TLS] Eleven out of every ten SSL certs aren'… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
- Re: [TLS] Eleven out of every ten SSL certs aren'… Steffen Schulz
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
- Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
- Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
- Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Seth David Schoen
- Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
- Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
- Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
- Re: [TLS] Eleven out of every ten SSL certs aren'… =JeffH
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Steingruebl, Andy
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] Eleven out of every ten SSL certs aren'… Steingruebl, Andy
- [TLS] TLS, PKI, and web security. Was: Eleven out… Marsh Ray
- Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Peter Gutmann
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Marsh Ray
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Robert Relyea
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Bruno Harbulot
- Re: [TLS] TLS, PKI, Martin Rex
- Re: [TLS] TLS, PKI, Robert Relyea
- Re: [TLS] TLS, PKI, Marsh Ray
- Re: [TLS] TLS, PKI, Martin Rex
- Re: [TLS] TLS, PKI, Peter Gutmann
- Re: [TLS] TLS, PKI, Peter Gutmann
- Re: [TLS] TLS, PKI, Marsh Ray
- Re: [TLS] TLS, PKI, Bruno Harbulot
- Re: [TLS] TLS, PKI, Peter Gutmann
- Re: [TLS] TLS, PKI, Yoav Nir
- Re: [TLS] TLS, PKI, Yoav Nir
- Re: [TLS] TLS, PKI, Peter Gutmann
- Re: [TLS] TLS, PKI, Peter Gutmann
- Re: [TLS] TLS, PKI, Bruno Harbulot
- Re: [TLS] TLS, PKI, Robert Relyea
- Re: [TLS] TLS, PKI, Marsh Ray
- Re: [TLS] TLS, PKI, Martin Rex
- Re: [TLS] TLS, PKI, Steingruebl, Andy
- Re: [TLS] TLS, PKI, Kyle Hamilton
- Re: [TLS] TLS, PKI, Marsh Ray
- Re: [TLS] TLS, PKI, Peter Gutmann
- Re: [TLS] TLS, PKI, Bruno Harbulot
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Peter Gutmann
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Marsh Ray
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Peter Gutmann
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Ralph Holz
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Yoav Nir
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Nasko Oskov
- Re: [TLS] TLS, PKI, Martin Rex
- Re: [TLS] TLS, PKI, Martin Rex
- Re: [TLS] TLS, PKI, Peter Gutmann
- Re: [TLS] TLS, PKI, and web security. Was: Eleven… Kyle Hamilton