Re: [TLS] Eleven out of every ten SSL certs aren't valid

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 30 June 2010 07:47 UTC

From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Nicolas.Williams@oracle.com, tim@dierks.org
In-Reply-To: <AANLkTinByiAIx1Pg4khiXLPb9KMexp2UUoZB7ikLzd6f@mail.gmail.com>
Message-Id: <E1OTs0r-0000wx-N4@wintermute02.cs.auckland.ac.nz>
Date: Wed, 30 Jun 2010 19:47:17 +1200
Cc: tls@ietf.org
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid
Precedence: list

Tim Dierks <tim@dierks.org> writes:

>What is being said is that 97% of DNS names that point at SSL servers do not
>validate with those DNS names. This is, on its face, is a statement about DNS
>configuration, not about SSL servers.

It really doesn't matter whose fault it is, what matters is how many users 
will see, and need to click away, cert warnings when they connect.  The user 
doesn't care less which obscure bit of geekery caused it, all they care about 
is that they're seeing yet another pointless dialog that they have to get rid 
of.

>To learn anything interesting about SSL servers at all, more work must be
>done.

What needs to be done is to define metrics for what's being analysed.  If you 
want a single figure then I'd use "Will a user connecting with IE6 / IE7 / 
Firefox / (and possibly Chrome) see a warning when they connect?" (to pick 
browsers with > 10% market share).  Why they see a warning is up to the geeks 
to figure out, the important metric in terms of security is what the users 
experience.

Peter.

Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
[TLS] Eleven out of every ten SSL certs aren't va… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… Adam Langley
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… Blumenthal, Uri - 0668 - MITLL
Re: [TLS] Eleven out of every ten SSL certs aren'… Rob P Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Joshua Davies
Re: [TLS] Eleven out of every ten SSL certs aren'… Yoav Nir
Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
Re: [TLS] Eleven out of every ten SSL certs aren'… Rob P Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Nikos Mavrogiannopoulos
Re: [TLS] Eleven out of every ten SSL certs aren'… Bill Daskaluk
Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
Re: [TLS] Eleven out of every ten SSL certs aren'… Jeffrey A. Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Bruno Harbulot
Re: [TLS] Eleven out of every ten SSL certs aren'… Bill Frantz
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Bruno Harbulot
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Florian Weimer
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Bruno Harbulot
Re: [TLS] Eleven out of every ten SSL certs aren'… Blumenthal, Uri - 0668 - MITLL
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… Steffen Schulz
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Seth David Schoen
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… =JeffH
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Steingruebl, Andy
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Steingruebl, Andy
[TLS] TLS, PKI, and web security. Was: Eleven out… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Peter Gutmann
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Marsh Ray
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Robert Relyea
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Bruno Harbulot
Re: [TLS] TLS, PKI, Martin Rex
Re: [TLS] TLS, PKI, Robert Relyea
Re: [TLS] TLS, PKI, Marsh Ray
Re: [TLS] TLS, PKI, Martin Rex
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Marsh Ray
Re: [TLS] TLS, PKI, Bruno Harbulot
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Yoav Nir
Re: [TLS] TLS, PKI, Yoav Nir
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Bruno Harbulot
Re: [TLS] TLS, PKI, Robert Relyea
Re: [TLS] TLS, PKI, Marsh Ray
Re: [TLS] TLS, PKI, Martin Rex
Re: [TLS] TLS, PKI, Steingruebl, Andy
Re: [TLS] TLS, PKI, Kyle Hamilton
Re: [TLS] TLS, PKI, Marsh Ray
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Bruno Harbulot
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Peter Gutmann
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Marsh Ray
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Peter Gutmann
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Ralph Holz
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Yoav Nir
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Nasko Oskov
Re: [TLS] TLS, PKI, Martin Rex
Re: [TLS] TLS, PKI, Martin Rex
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Kyle Hamilton