IETF Logo Mail Archive

Re: [TLS] Eleven out of every ten SSL certs aren't valid

Ivan Ristic <ivan.ristic@gmail.com> Tue, 29 June 2010 13:32 UTC

Return-Path: <ivan.ristic@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 996DE3A6C0B for <tls@core3.amsl.com>; Tue, 29 Jun 2010 06:32:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.462
X-Spam-Level:
X-Spam-Status: No, score=-0.462 tagged_above=-999 required=5 tests=[AWL=-0.277, BAYES_40=-0.185]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nWE448t8gtAo for <tls@core3.amsl.com>; Tue, 29 Jun 2010 06:31:59 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 522123A6BFC for <tls@ietf.org>; Tue, 29 Jun 2010 06:31:39 -0700 (PDT)
Received: by fxm1 with SMTP id 1so1357764fxm.31 for <tls@ietf.org>; Tue, 29 Jun 2010 06:31:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=ItVWtQWaSeMzGLcBc5z7knEXvpUBFV3tUZnoKJUUUFs=; b=ALOr7tHtK/sqZp1iaocw3CuvOtuDHN79aCIlWBEqYqAQI8wobh9IjJw1bhtIzPsWrE 1Aue5PUS+Tx4nUClHsTmSACKKi8AJGRiQ1JX16Je/enVD3YlMDMN5UHIb+sb/YHop8j2 5QMYKpPcFt8ZB/VUZt4Bp1FjM0CqUuOILKmBQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=gwnAcpVMWHBXmo67M+TUGGjHW4rq8ZL/APX2hUU0bYBwK9z+U4qcfBFrcUl3xWTQbp hK+vtyq2pVpSlHjxuvaGIDiLJtb7Z46cL1q78aTB9347VmzG7ctW1itiseSIhPslEhtR aWeAsKjcOpqpigO8F/Foeg3MHfCQWvrRM2D4g=
MIME-Version: 1.0
Received: by 10.239.188.135 with SMTP id p7mr437326hbh.90.1277818296377; Tue, 29 Jun 2010 06:31:36 -0700 (PDT)
Received: by 10.239.164.79 with HTTP; Tue, 29 Jun 2010 06:31:36 -0700 (PDT)
In-Reply-To: <E1OTVaY-0004g3-OW@wintermute02.cs.auckland.ac.nz>
References: <E1OTVaY-0004g3-OW@wintermute02.cs.auckland.ac.nz>
Date: Tue, 29 Jun 2010 14:31:36 +0100
Message-ID: <AANLkTikY-KgOBMUSmfVTQ4sANQng9m_p61WBogkHBoLi@mail.gmail.com>
From: Ivan Ristic <ivan.ristic@gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2010 13:32:27 -0000

The numbers in the article come from the preview of my research, which
I presented in a webcast last Thursday. Here's the summary of the
presentation:

1. I started with 119M domain names (out of 193M registered
worldwide). The 119M include all .com, .org, .net, .info, .biz, and
.us domain names.
2. 92M domains are active on port 80 or port 443
3. 33M domains have port 443 open
4. 22.65M domain names run SSL on port 443
5. On 0.72M domain names certificates match the domain name.

I am now focusing on the 720K certificates that are potentially valid.

Once I find out exactly how many of those certificates are valid, I
will make two claims:

- X% of web servers properly run SSL (where X will be < 3%)
- Y% of certificates are valid (where Y will be significantly higher than > 3%)

I should be able to post my presentation online tomorrow, after which
I will follow-up here.

BTW, my assessment methodology is available on
https://www.ssllabs.com, along with an online assessment tool (that
works with a single hostname). There's additional material on the SSL
Labs mailing list. I will publish the complete report in about a
month.

I welcome all feedback, as well as deeper involvement if you're
interested in the topic.

Cheers,
Ivan

On Tue, Jun 29, 2010 at 8:50 AM, Peter Gutmann
<pgut001@cs.auckland.ac.nz> wrote:
> In case someone here still hasn't seen this, the subject is a reference to:
>
>  SSL Certificates In Use Today Aren't All Valid
>  http://www.esecurityplanet.com/features/article.php/3890171/SSL-Certificates-In-Use-Today-Arent-All-Valid.htm
>
> which posits that only 3% of SSL certs in use today are valid.  The figures
> seem a bit suspicious though, for example they claim 23 million SSL sites
> while the same article quotes Netcraft as claiming there are 1.5 million SSL
> certs in use (the Netcraft figures may be for CA-issued certs only, since they
> quote Verisign as a percentage of that total).  Still, 3% seems pretty low,
> could this be due to something like virtual hosting and the client not sending
> the hostname, thereby getting the wrong cert?  Even with that though, I
> wouldn't have expected a 97% invalidity rate.
>
> Peter.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

-- 
Ivan Ristic
ModSecurity Handbook [http://www.modsecurityhandbook.com]
SSL Labs [https://www.ssllabs.com/ssldb/]

v2.23.0 | Report a Bug | By Email