Re: [TLS] Eleven out of every ten SSL certs aren't valid

[Ivan Ristic <ivan.ristic@gmail.com>]

On Wed, Jun 30, 2010 at 1:01 AM, Bruno Harbulot
<Bruno.Harbulot@manchester.ac.uk> wrote:
> Hi,
>
> On 29/06/2010 22:15, Ivan Ristic wrote:
>>
>> On Tue, Jun 29, 2010 at 10:10 PM, Tim Dierks<tim@dierks.org>  wrote:
>>>
>>> On Tue, Jun 29, 2010 at 4:46 PM, Nicolas Williams
>>> <Nicolas.Williams@oracle.com>  wrote:
>>>>
>>>> The context was just how awful it is that 97% of servers don't have
>>>> valid certs
>>>
>>> That is not what is being said. What is being said is that 97% of DNS
>>> names
>>> that point at SSL servers do not validate with those DNS names. This is,
>>> on
>>> its face, is a statement about DNS configuration, not about SSL servers.
>>> (Creating a thousand DNS names for the IP address of a single SSL server
>>> will change this stat, although the owner and operator of the SSL server
>>> need not be involved in any way.)
>
> Not even that, it's a flaw in the assumption that for each DNS name there
> will be an HTTPS server listing there. That's definitely not true.

It's the assumption accusation again. It is not an assumption. It is
test to see how many domain names have port 443/SSL/valid certificate
configured. Although you claim otherwise, there are many domain names
who respond with SSL on port 443 and have invalid certificates. Now,
we can argue what that means, and, granted, it does not mean much.
What is meaningful, is that there is an X number of domain names that
_does_ have SSL configured properly.


> However, I think there are two major problems with the study:
>  - the fact it seems to propagate the myth that a cert from a big CA is
> necessarily a "safe" cert and vice versa.

I don't like the many CAs as much as the next guy, but for the
"normal" person on the Internet today, that's the only thing to rely
on. It may be flawed, but it's less flawed than self-signed
certificates (which a normal person has a 0% chance of understanding).

> We tend to rely on the UK e-Science CA [1] for a number of machines. Some of
> my machines with UK e-Science certs score like this:
>  - Certificate: 0 (unknown CA)
>  - Protocol Support: 85
>  - Key Exchange: 90
>  - Cipher Suites: 90
>
> That would get a "green A" if the CA was recognised. Unfortunately, it's not
> known by the tool, so it's disqualified. That's a bit harsh, isn't it?

It may be, but I get a certificate warning when I go to
https://www.ngs.ac.uk/. It's the same thing.

The tool is designed from a perspective of an average Firefox user.
It's an SSL client implementation, just like any other browser/client.

I'd love to support multiple trust bases (as well as custom trust
stores), but the maintenance of multiple trust stores is too much work
for me to handle right now.

-- 
Ivan Ristic
ModSecurity Handbook [http://www.modsecurityhandbook.com]
SSL Labs [https://www.ssllabs.com/ssldb/]