IETF Logo Mail Archive

Re: [TLS] Eleven out of every ten SSL certs aren't valid

Yoav Nir <ynir@checkpoint.com> Tue, 29 June 2010 15:54 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 791C73A6A2D for <tls@core3.amsl.com>; Tue, 29 Jun 2010 08:54:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.932
X-Spam-Level:
X-Spam-Status: No, score=-0.932 tagged_above=-999 required=5 tests=[AWL=-0.192, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AeYsHrelhp-P for <tls@core3.amsl.com>; Tue, 29 Jun 2010 08:54:03 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by core3.amsl.com (Postfix) with ESMTP id 760713A690E for <tls@ietf.org>; Tue, 29 Jun 2010 08:54:03 -0700 (PDT)
X-CheckPoint: {4C2A241D-0-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id o5TFsCDq004804; Tue, 29 Jun 2010 18:54:12 +0300 (IDT)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Tue, 29 Jun 2010 18:54:43 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Joshua Davies <joshua.davies@travelocity.com>, "tls@ietf.org" <tls@ietf.org>
Date: Tue, 29 Jun 2010 18:51:47 +0300
Thread-Topic: [TLS] Eleven out of every ten SSL certs aren't valid
Thread-Index: AcsXogl6Zm/z3sQkSzSgwFfztlPT/wAAPGo/
Message-ID: <006FEB08D9C6444AB014105C9AEB133FD8D8623B87@il-ex01.ad.checkpoint.com>
References: <E1OTVaY-0004g3-OW@wintermute02.cs.auckland.ac.nz> <201006291350.o5TDoMoO018788@fs4113.wdf.sap.corp> <AANLkTinWDU7RKXRU1drErtWZSdOyGwSymOBdwXSnYMEB@mail.gmail.com> <7C6BDB4BD9974646856544650C016B82139E7C@XCH117CNC.rim.net>, <4C2A1496.3040805@travelocity.com>
In-Reply-To: <4C2A1496.3040805@travelocity.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2010 15:54:04 -0000

No idea about Oracle, but port 443 is one of those ports that are open on most firewalls, so it "just works".

In some ways port 443 is even better than port 80, because some firewalls try to inspect port 80, but allow port 443 traffic as-is because it's inspected.

I know of one implementation at least that runs IKE over port 443.

Of course, modern firewalls can inspect port 443 for property formatted SSL/TLS records, but most of them don't do it.

Yoav
(who works for a firewall vendor)
________________________________________
From: tls-bounces@ietf.org [tls-bounces@ietf.org] On Behalf Of Joshua Davies [joshua.davies@travelocity.com]
Sent: Tuesday, June 29, 2010 18:43
To: tls@ietf.org
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid

Well, ok, but... why listen on port 443 if you don't plan to support SSL in the first place?

v2.23.0 | Report a Bug | By Email