Re: [TLS] Eleven out of every ten SSL certs aren't valid

Nikos Mavrogiannopoulos <nmav@gnutls.org> Tue, 29 June 2010 16:20 UTC

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=m2/2BRBiwyFi1bXAqcQM+GY4Yt2rQJOETfnoyPX30QsRUmt2m/PLYel6u1swJ1lUm+ 7Es9hZgCCQdQuBmyNK72kv41/I/3Xkk6d5Uz5rld+5fhZ5YHbnlM7d3pmm3xar7oWwty q2iMk0giDwC/9X7FrCRRdtd0PJXgrEzla7Ly4=
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <4C2A1D56.1060704@gnutls.org>
Date: Tue, 29 Jun 2010 18:20:38 +0200
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Ivan Ristic <ivan.ristic@gmail.com>
References: <E1OTVaY-0004g3-OW@wintermute02.cs.auckland.ac.nz> <201006291350.o5TDoMoO018788@fs4113.wdf.sap.corp> <AANLkTinWDU7RKXRU1drErtWZSdOyGwSymOBdwXSnYMEB@mail.gmail.com> <7C6BDB4BD9974646856544650C016B82139E7C@XCH117CNC.rim.net> <AANLkTilFGxsxGs9DD737SvlAL-2x1SLp0iaP2wq0u80p@mail.gmail.com>
In-Reply-To: <AANLkTilFGxsxGs9DD737SvlAL-2x1SLp0iaP2wq0u80p@mail.gmail.com>
OpenPGP: id=96865171
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid
Precedence: list

Ivan Ristic wrote:
> On Tue, Jun 29, 2010 at 4:03 PM, Rob P Williams <rwilliams@certicom.com> wrote:
>> ...
>>
>> What steps are being taken to verify that 'valid' ssl is even intended?
> 
> I have collected about 720K certificates that match the domain names
> from which they were served. I think it's fair to say those are the
> cases where SSL was intended.

Out of curiosity, how do you define matching. Do you use the CN only or
 subject alternative names as well?

Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
[TLS] Eleven out of every ten SSL certs aren't va… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… Adam Langley
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… Blumenthal, Uri - 0668 - MITLL
Re: [TLS] Eleven out of every ten SSL certs aren'… Rob P Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Joshua Davies
Re: [TLS] Eleven out of every ten SSL certs aren'… Yoav Nir
Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
Re: [TLS] Eleven out of every ten SSL certs aren'… Rob P Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Nikos Mavrogiannopoulos
Re: [TLS] Eleven out of every ten SSL certs aren'… Bill Daskaluk
Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
Re: [TLS] Eleven out of every ten SSL certs aren'… Jeffrey A. Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Bruno Harbulot
Re: [TLS] Eleven out of every ten SSL certs aren'… Bill Frantz
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Bruno Harbulot
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Florian Weimer
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Bruno Harbulot
Re: [TLS] Eleven out of every ten SSL certs aren'… Blumenthal, Uri - 0668 - MITLL
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… Steffen Schulz
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Seth David Schoen
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… =JeffH
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Steingruebl, Andy
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Steingruebl, Andy
[TLS] TLS, PKI, and web security. Was: Eleven out… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Peter Gutmann
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Marsh Ray
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Robert Relyea
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Bruno Harbulot
Re: [TLS] TLS, PKI, Martin Rex
Re: [TLS] TLS, PKI, Robert Relyea
Re: [TLS] TLS, PKI, Marsh Ray
Re: [TLS] TLS, PKI, Martin Rex
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Marsh Ray
Re: [TLS] TLS, PKI, Bruno Harbulot
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Yoav Nir
Re: [TLS] TLS, PKI, Yoav Nir
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Bruno Harbulot
Re: [TLS] TLS, PKI, Robert Relyea
Re: [TLS] TLS, PKI, Marsh Ray
Re: [TLS] TLS, PKI, Martin Rex
Re: [TLS] TLS, PKI, Steingruebl, Andy
Re: [TLS] TLS, PKI, Kyle Hamilton
Re: [TLS] TLS, PKI, Marsh Ray
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Bruno Harbulot
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Peter Gutmann
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Marsh Ray
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Peter Gutmann
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Ralph Holz
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Yoav Nir
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Nasko Oskov
Re: [TLS] TLS, PKI, Martin Rex
Re: [TLS] TLS, PKI, Martin Rex
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Kyle Hamilton