Re: [TLS] Eleven out of every ten SSL certs aren't valid

[Ivan Ristic <ivan.ristic@gmail.com>]

On Tue, Jun 29, 2010 at 3:36 PM, Tim Dierks <tim@dierks.org> wrote:
> On Tue, Jun 29, 2010 at 10:15 AM, Ivan Ristic <ivan.ristic@gmail.com> wrote:
>>
>> If you're referring to my work, I didn't make any assumptions. I
>> merely reported the findings, which are that  about 3.17% of domain
>> names that respond with SSL on port 443 have a potentially valid
>> certificate.
>
> In my opinion, this is a pretty meaningless statistic. There's no warranty
> that just because a domain name maps to an IP address and that IP address
> has an SSL server that the SSL server will respond with a certificate that
> matches the domain name in question. If I go and register a thousand domain
> names and give each one a CNAME that points to www.modsecurity.org, and you
> go and find it serves SSL on 443, but doesn't present the certificates for
> my domains, so this percentage goes down, what does that mean? Nothing at
> all.

Certainly, the measurement is imperfect. I find it useful, even if you don't.


> If you had a statistic about what fraction of https:// links on the Internet
> point to misconfigured servers, that would be more interesting.

I am pursuing that option as a separate effort. It involves convincing
other organizations to share their data and I am not sure how that
will go.

In the meantime, I think looking at the Alexa's top 1M domain names is
the next best thing.

-- 
Ivan Ristic
ModSecurity Handbook [http://www.modsecurityhandbook.com]
SSL Labs [https://www.ssllabs.com/ssldb/]