Re: [TLS] Eleven out of every ten SSL certs aren't valid

[Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>]

Hi,

On 30/06/2010 07:05, Ivan Ristic wrote:

>>
>> Not even that, it's a flaw in the assumption that for each DNS name
>> there will be an HTTPS server listing there. That's definitely not
>> true.
>
> It's the assumption accusation again. It is not an assumption. It is
> test to see how many domain names have port 443/SSL/valid
> certificate configured. Although you claim otherwise, there are many
> domain names who respond with SSL on port 443 and have invalid
> certificates. Now, we can argue what that means, and, granted, it
> does not mean much. What is meaningful, is that there is an X number
> of domain names that _does_ have SSL configured properly.

Sure, but that's exactly the problem, the assumption that they should
have a valid cert there. It's more than that, it the assumption that
there would be a web server at all behind a domain name (admittedly,
that's very likely to be the case but the internet and the web are not
quite the same thing.)

You seem to have missed a fundamental point of the architecture of the
WWW: the fact that you're meant to navigate it through linking, not by 
guessing from a domain name.

Of course, guessing the website from the domain name is likely to give 
some good results. There are a few assumptions on the way there.


You're making the assumption that for "example.com" there will be a
"http://www.example.com/". It's a good assumption, but it's still an
assumption. Who said there should be an HTTP server listing? Next
assumption is that there will be a 'www' prefix.

The PDF <https://www.ssllabs.com/projects/rating-guide/index.html> says:
> Make sure the certificate is valid for all the domain names that will
> be required. For example, make sure the certificate works for
> www.example.com as well as example.com (without the www part).

Why should there be a server at both 'http://www.example.com/' and 
'http://example.com/'? (Some browsers auto complete the www prefix, but 
that's no more than common practice, it's by no means any sort of 
requirement.)

You seem to merge the concept of domain name and host name, they're
not quite the same thing, especially with 'www'.

What your studies shows is that the next step up in guessing what to
contact based on a domain name (from http:// to https://) is less likely 
to be a correct guess. Fair enough, I suppose, but these are still 
assumptions (with respect to host name and PKI).


The main problem with this study is that it makes assumptions about the 
architecture of the WWW that are not true. There is a reason why links 
use URIs with a scheme and not just a domain name.


>> However, I think there are two major problems with the study: - the
>> fact it seems to propagate the myth that a cert from a big CA is
>> necessarily a "safe" cert and vice versa.
>
> I don't like the many CAs as much as the next guy, but for the
> "normal" person on the Internet today, that's the only thing to rely
> on. It may be flawed, but it's less flawed than self-signed
> certificates (which a normal person has a 0% chance of
> understanding).

Sure, it's not an ideal situation, but it has the advantage that it 
offers a reasonable trade-off between the technical aspect and the 
user-interface aspect of security. (I'm still not fully convinced of the 
benefits of EV, though.)


>> We tend to rely on the UK e-Science CA [1] for a number of
>> machines. Some of my machines with UK e-Science certs score like
>> this: - Certificate: 0 (unknown CA) - Protocol Support: 85 - Key
>> Exchange: 90 - Cipher Suites: 90
>>
>> That would get a "green A" if the CA was recognised. Unfortunately,
>> it's not known by the tool, so it's disqualified. That's a bit
>> harsh, isn't it?
>
> It may be, but I get a certificate warning when I go to
> https://www.ngs.ac.uk/. It's the same thing.

It doesn't work for me either (probably some other reason than the 
certificate), but that's the point I'm saying above: I never said there 
should be something at <https://www.ngs.ac.uk/> and no one ever said 
that to me either.



Best wishes,

Bruno.