IETF Logo Mail Archive

Re: [TLS] Eleven out of every ten SSL certs aren't valid

Nicolas Williams <Nicolas.Williams@oracle.com> Wed, 30 June 2010 22:50 UTC

Return-Path: <Nicolas.Williams@oracle.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E44FA3A692E for <tls@core3.amsl.com>; Wed, 30 Jun 2010 15:50:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.799
X-Spam-Level:
X-Spam-Status: No, score=-4.799 tagged_above=-999 required=5 tests=[AWL=-0.801, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7BcAuOmGMOw0 for <tls@core3.amsl.com>; Wed, 30 Jun 2010 15:50:22 -0700 (PDT)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 2595B3A69C6 for <tls@ietf.org>; Wed, 30 Jun 2010 15:50:16 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id o5UMoLk9008547 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 30 Jun 2010 22:50:23 GMT
Received: from acsmt353.oracle.com (acsmt353.oracle.com [141.146.40.153]) by acsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o5ULN3Rq009984; Wed, 30 Jun 2010 22:50:20 GMT
Received: from abhmt003.oracle.com by acsmt354.oracle.com with ESMTP id 371691991277938143; Wed, 30 Jun 2010 15:49:03 -0700
Received: from oracle.com (/129.153.128.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 30 Jun 2010 15:49:02 -0700
Date: Wed, 30 Jun 2010 17:51:10 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Seth David Schoen <schoen@eff.org>
Message-ID: <20100630225110.GD14528@oracle.com>
References: <E1OTVaY-0004g3-OW@wintermute02.cs.auckland.ac.nz> <20100629163354.GR11785@oracle.com> <AANLkTim6sYWlPSRUwYHP4UfkUNkfiVQ7xbj28fF6fOmz@mail.gmail.com> <20100629193416.GU11785@oracle.com> <AANLkTilF3TZn4DcjTmoKrv3Zcp441oyvWp-E9aJmH5hF@mail.gmail.com> <20100629204614.GX11785@oracle.com> <AANLkTinByiAIx1Pg4khiXLPb9KMexp2UUoZB7ikLzd6f@mail.gmail.com> <20100629212411.GZ11785@oracle.com> <20100630224031.GB543@sescenties>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20100630224031.GB543@sescenties>
User-Agent: Mutt/1.5.20 (2010-03-02)
X-Source-IP: acsmt353.oracle.com [141.146.40.153]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090201.4C2BCA2D.00D9:SCFMA4539814,ss=1,fgs=0
Cc: tls@ietf.org
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 22:50:25 -0000

On Wed, Jun 30, 2010 at 03:40:31PM -0700, Seth David Schoen wrote:
> Nicolas Williams writes:
> > In particular it's important to distinguish sites that serve HTTPS just
> > because from sites that serve HTTPS because they really ought to, and
> > from sites that serve HTTPS as part of being attack sites.
> 
> In an earlier message in this thread you suggested that "sites that
> ought to be using HTTPS with valid certs" were "banks, payment sites,
> shopping sites that accept credit cards, etcetera".
> 
> I think one of the most positive developments of the past two years
> has been the increased recognition that financial information is
> not the only information that is private or sensitive, and hence not
> the only information that should be protected with HTTPS.  Thus we
> have HTTPS available for webmail, search engines, social networking,
> an encyclopedia, blogging and microblogging platforms, government
> agencies, newspapers, and direct-to-consumer DNA testing services.

Quite true.  All services where user accounts are valuable should be
protected.  That might still be a tiny fraction of the number of hosts
reachable via the Internet and that serve HTTPS :(

> Many Internet users regularly give their credit cards (complete with
> CVV2!) to strangers in stores and restaurants, maybe a half-dozen
> times a day, but would never want the people they encounter in their
> daily lives to know what they search for on Google or Wikipedia.  We
> can make a lot of progress for privacy and information security by
> further breaking the reflexive association between HTTPS and credit
> card numbers and the stereotype that there's only one kind of web
> site for which HTTPS is appropriate.

I'd be ecstatic if we knew that at least retail and banking were secure
enough.  That's where I'd start, but maybe I'm misguided.  I imagine
that for many people (e.g., teenagers, who usually have little in the
way of finanacial resources, but much in the way of free time) starting
with social media is probably more important.

v2.23.0 | Report a Bug | By Email