IETF Logo Mail Archive

Re: [TLS] Eleven out of every ten SSL certs aren't valid

Ivan Ristic <ivan.ristic@gmail.com> Tue, 29 June 2010 20:28 UTC

Return-Path: <ivan.ristic@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CC4443A695A for <tls@core3.amsl.com>; Tue, 29 Jun 2010 13:28:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.216
X-Spam-Level:
X-Spam-Status: No, score=-2.216 tagged_above=-999 required=5 tests=[AWL=0.383, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GwWd-uKnEgfw for <tls@core3.amsl.com>; Tue, 29 Jun 2010 13:28:57 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 62C893A67E7 for <tls@ietf.org>; Tue, 29 Jun 2010 13:28:57 -0700 (PDT)
Received: by fxm1 with SMTP id 1so20545fxm.31 for <tls@ietf.org>; Tue, 29 Jun 2010 13:29:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=gPV6eYp7iqP7ufkjbiw/69377uFt6oE41CUq2EpohVI=; b=ELxht8cNB+/lssiETXuKm4zOGO1+qSrboczfG52zeEat9bw35SpgI88C9Oi0pH8ViE TyLJEPgvCyuKAW4WhFL4zSDcnuCGarxmay9cK7GOLqiO5qfoVGy6bHgJox5cO1XdhidW n35/QpjB46NkuA6FJidfW8tW1zgh5vX2IS+ZM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=A0QZfjH8IRpyP+wd7EUZP03RHZOz70UoxNlSLHLATc2BADa8Yj0JQJdsnfOgNhGdib pzOZH7QNqbtRWRSlmF/pRVTeV4TX6PZ5Z+67E/3YOPd3NkV8RLAJRHeg0aXApBpJ3qb5 1ZCa5/SSydYo0RwfJ3F2y+HBkv+hk1pBXo4GI=
MIME-Version: 1.0
Received: by 10.239.186.11 with SMTP id e11mr452833hbh.20.1277843341900; Tue, 29 Jun 2010 13:29:01 -0700 (PDT)
Received: by 10.239.164.79 with HTTP; Tue, 29 Jun 2010 13:29:01 -0700 (PDT)
In-Reply-To: <20100629193416.GU11785@oracle.com>
References: <E1OTVaY-0004g3-OW@wintermute02.cs.auckland.ac.nz> <20100629163354.GR11785@oracle.com> <AANLkTim6sYWlPSRUwYHP4UfkUNkfiVQ7xbj28fF6fOmz@mail.gmail.com> <20100629193416.GU11785@oracle.com>
Date: Tue, 29 Jun 2010 21:29:01 +0100
Message-ID: <AANLkTilF3TZn4DcjTmoKrv3Zcp441oyvWp-E9aJmH5hF@mail.gmail.com>
From: Ivan Ristic <ivan.ristic@gmail.com>
To: Nicolas Williams <Nicolas.Williams@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2010 20:28:59 -0000

On Tue, Jun 29, 2010 at 8:34 PM, Nicolas Williams
<Nicolas.Williams@oracle.com> wrote:
> On Tue, Jun 29, 2010 at 07:29:45PM +0100, Ivan Ristic wrote:
>> On Tue, Jun 29, 2010 at 5:33 PM, Nicolas Williams
>> > The subject line is very funny, but, seriously, this doesn't bother me
>> > in the least.  Why?  Because anyone can put up a site with an invalid,
>> > self-signed, or might-as-well-be-self-signed-because-no-one-uses-its-
>> > root-CA cert.  Therefore the number of sites with such certs is utterly
>> > and completely _meaningless_ [m _e _a _n _i _n _g _l _e _s _s _].
>>
>> The problem with that view is that, while the users are experiencing
>> all those sites with invalid certificates they are getting used to the
>> idea that nothing bad comes from browser warnings. Then, one day, when
>> they're accessing their bank's web site from an insecure network, they
>> ignore the one warning they shouldn't and get owned by the MITM guy.
>
> You seem to be confused as to what I actually wrote.

No, not at all. I was responding to this sentence in particular:

"What matters is that the sites that ought to be using HTTPS with
valid certs are"


> There is no such "problem with [my] view" because you cannot stop people
> from deploying servers with bad certs.  It's a _fact of life_.

The fact that we cannot stop bad certs is not relevant. Such sites are
still reducing the effectiveness of SSL, even for the "sites that
ought to be using HTTPS". And that was my point.


> Now, what our client applications do about such servers _is_ a problem.
> If that was your point, well, we agree, and there's no need to put words
> in my mouth.  If you want to discuss how to improve the clients (e.g.,
> make it so there is no warning dialog, make it so you cannot connect to
> sites with bad certs period).

I would like to see that very much (and have proposed it in the past).
Unfortunately, browser vendors will never do that for the fear of
losing customers.


> Nico
> --
>

-- 
Ivan Ristic
ModSecurity Handbook [http://www.modsecurityhandbook.com]
SSL Labs [https://www.ssllabs.com/ssldb/]

v2.23.0 | Report a Bug | By Email