IETF Logo Mail Archive

Re: [TLS] Eleven out of every ten SSL certs aren't valid

Rob P Williams <rwilliams@certicom.com> Tue, 29 June 2010 16:18 UTC

Return-Path: <rwilliams@certicom.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EC28C3A6C18 for <tls@core3.amsl.com>; Tue, 29 Jun 2010 09:18:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.696
X-Spam-Level:
X-Spam-Status: No, score=-2.696 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_40=-0.185, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZknEZrm-TfFU for <tls@core3.amsl.com>; Tue, 29 Jun 2010 09:18:00 -0700 (PDT)
Received: from mhs03ykf.rim.net (mhs03ykf.rim.net [216.9.243.80]) by core3.amsl.com (Postfix) with ESMTP id 89CF23A6BE2 for <tls@ietf.org>; Tue, 29 Jun 2010 09:18:00 -0700 (PDT)
X-AuditID: 0a401fcb-b7c04ae000000afa-08-4c2a1cc26567
Received: from XHT108CNC.rim.net ( [10.65.22.54]) by mhs03ykf.rim.net (RIM Mail) with SMTP id 89.7F.02810.2CC1A2C4; Tue, 29 Jun 2010 12:18:10 -0400 (EDT)
Received: from XCH117CNC.rim.net ([fe80::a136:e723:2796:5b59]) by XHT108CNC.rim.net ([fe80::5ccc:ad5f:1697:fdbb%11]) with mapi; Tue, 29 Jun 2010 12:18:10 -0400
From: Rob P Williams <rwilliams@certicom.com>
To: Ivan Ristic <ivan.ristic@gmail.com>
Date: Tue, 29 Jun 2010 12:18:09 -0400
Thread-Topic: [TLS] Eleven out of every ten SSL certs aren't valid
Thread-Index: AcsXoTT8JeWQYU+tReuOPABlCcApLwABR+eg
Message-ID: <7C6BDB4BD9974646856544650C016B82139EF5@XCH117CNC.rim.net>
References: <E1OTVaY-0004g3-OW@wintermute02.cs.auckland.ac.nz> <201006291350.o5TDoMoO018788@fs4113.wdf.sap.corp> <AANLkTinWDU7RKXRU1drErtWZSdOyGwSymOBdwXSnYMEB@mail.gmail.com> <7C6BDB4BD9974646856544650C016B82139E7C@XCH117CNC.rim.net> <AANLkTilFGxsxGs9DD737SvlAL-2x1SLp0iaP2wq0u80p@mail.gmail.com>
In-Reply-To: <AANLkTilFGxsxGs9DD737SvlAL-2x1SLp0iaP2wq0u80p@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
content-transfer-encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAgAAAZEU4Ms8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2010 16:18:02 -0000

Hi Ivan,

Good luck with your research.

Security needs continuous audits - Thank you for your efforts.


--
rob | Team Lead, Certicom Java Toolkits
Certicom Corp. | A subsidiary of Research In Motion Limited

rwilliams@certicom.com
www.certicom.com




-----Original Message-----
From: Ivan Ristic [mailto:ivan.ristic@gmail.com] 
Sent: Tuesday, June 29, 2010 11:39 AM
To: Rob P Williams
Cc: tls@ietf.org
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid

On Tue, Jun 29, 2010 at 4:03 PM, Rob P Williams <rwilliams@certicom.com> wrote:
>
> ...
>
> What steps are being taken to verify that 'valid' ssl is even intended?

I have collected about 720K certificates that match the domain names
from which they were served. I think it's fair to say those are the
cases where SSL was intended.

Obtaining those certificates was the goal of the first phase of my
survey. All these other numbers are just a byproduct of that.


> These sound like numbers intended to scare people. If you are going to publish without the first paragraph mentioning that "100% of modern browsers will alert a user to configuration issues that are detected herein" - then... what's your point?

The numbers are real, and if they scare some people so be it. My point
is to look at how SSL is used in real world and report it. I am in the
middle of my research and I don't know yet what I will find, but for
me the value is in knowing, irrespective of the results.

-- 
Ivan Ristic
ModSecurity Handbook [http://www.modsecurityhandbook.com]
SSL Labs [https://www.ssllabs.com/ssldb/]

---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

v2.23.0 | Report a Bug | By Email