IETF Logo Mail Archive

Re: [TLS] Eleven out of every ten SSL certs aren't valid

Ivan Ristic <ivan.ristic@gmail.com> Wed, 30 June 2010 05:47 UTC

Return-Path: <ivan.ristic@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8E6D63A6C21 for <tls@core3.amsl.com>; Tue, 29 Jun 2010 22:47:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.258
X-Spam-Level:
X-Spam-Status: No, score=-2.258 tagged_above=-999 required=5 tests=[AWL=0.341, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uDXW30Kjd-5L for <tls@core3.amsl.com>; Tue, 29 Jun 2010 22:47:40 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 66E403A6933 for <tls@ietf.org>; Tue, 29 Jun 2010 22:47:39 -0700 (PDT)
Received: by fxm1 with SMTP id 1so185719fxm.31 for <tls@ietf.org>; Tue, 29 Jun 2010 22:47:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=c2RlUcXnShb5ptGG8gDfxlHVAh0gY5hV4aGfoaNb+jQ=; b=EaywQ94Cq9W++anw0F+AQYrnIAL2JytGuzbxLhohYwVsF3Bq4ST8F7VRmwwiSuhV6w 6PZtZrEOt7V6/mK+5FMxyV/rcoQVFqBmfn19upj5koirjvDxLhaK/3qtA1699CwWoXXd YsbrVvcxko1K1QTveoapzN4YyHJqflf/9OXCc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=QzpcOpcwWyOzAKqASbKuaHMGCmxXmAw7uczwgEyxRvchV3Gw+jFOckDnmRJomtyVAX EY+f0qxczMzzmlBYxwjsT3Y8WV5o0LDcAubW766X4cSuKNCyMXFvIjIETroiak58AwnB P878XkW4wZLiaSodRoSjBMtjXdfVjQKhF42QE=
MIME-Version: 1.0
Received: by 10.239.182.207 with SMTP id r15mr498158hbg.6.1277876853328; Tue, 29 Jun 2010 22:47:33 -0700 (PDT)
Received: by 10.239.164.79 with HTTP; Tue, 29 Jun 2010 22:47:33 -0700 (PDT)
In-Reply-To: <4C2A71CE.7000604@extendedsubset.com>
References: <E1OTVaY-0004g3-OW@wintermute02.cs.auckland.ac.nz> <20100629163354.GR11785@oracle.com> <AANLkTim6sYWlPSRUwYHP4UfkUNkfiVQ7xbj28fF6fOmz@mail.gmail.com> <4C2A45C9.3010608@extendedsubset.com> <AANLkTinHVJGrnBl93qCfrrbHGlTP_yEMX8PMRduSIKgd@mail.gmail.com> <4C2A6841.7080607@extendedsubset.com> <AANLkTinQDI1iNMTSnOqCuzchiFzIcwzjV9kYgrRkx7IT@mail.gmail.com> <4C2A71CE.7000604@extendedsubset.com>
Date: Wed, 30 Jun 2010 06:47:33 +0100
Message-ID: <AANLkTikeHcWjpob6RRlV6OMwMzZ0D5VpFj_ZzbYH7bun@mail.gmail.com>
From: Ivan Ristic <ivan.ristic@gmail.com>
To: Marsh Ray <marsh@extendedsubset.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: tls@ietf.org
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 05:47:46 -0000

On Tue, Jun 29, 2010 at 11:21 PM, Marsh Ray <marsh@extendedsubset.com> wrote:
> On 06/29/2010 04:44 PM, Ivan Ristic wrote:
>>
>> On Tue, Jun 29, 2010 at 10:40 PM, Marsh Ray<marsh@extendedsubset.com>
>> wrote:
>>>
>>> ...
>>>
>>> I liked the suggestion about looking for https: links on the net.
>>> Scores could even be weighted by incoming links, a' la pagerank. If
>>> a dns name really has zero links to it, it's questionable whether
>>> or not its really relevant as a part of the web.
>>
>> Isn't that exactly what we'd be getting from looking at the most
>> popular 1 million domain names?
>
> Perhaps, but I would want a precise definition of "most popular" before
> agreeing to the "exactly". :-)

My understanding is that Alexa (http://www.alexa.com) uses the toolbar
to record where people go on the Internet. They then use that data to
maintain the list of most popular web sites.

In the light of yesterdays bashing on the metrics, I am starting to
like Alexa's list more and more, because it's not only much easier to
monitor (1M sites and about 110K certificates with matching names),
but makes more sense.


> From TFA:
>>
>> "Only about 3.17 percent of the domain names matched," Ristic said.
>> "So we have about 22 million SSL servers with certificates that are
>> completely invalid because they do not match the domain name on which
>> they reside."
>
> This is where I think there's some room for legitimate discussion about the
> numbers as presented.
>
> Is it correct to count a server reached from a misdirected DNS entry as
> "completely invalid" SSL?

The way I see it, it's a fact. There is no way for someone to know if
a domain name wants SSL. (It's a separate topic, but I think there
should be. Just as there should be a way for a domain name to say it
wants _only_ SSL.)

I make not claim that all those domain names "intended" to run SSL,
but in fact they do. People focus on the negatives, because they make
nice headlines, but I want to know how many domain names _do_ run SSL
properly.


> According to the RFCs as I understand them, we can only say (an otherwise
> well-formed) cert is invalid in the context of a protocol, an requested
> identity, a set of trusted root certs, a time of validation, etc. We all
> know there's a good deal of variation in clients' trusted roots. Revocation
> data could be another interesting contextual variable.
>
> - Marsh

-- 
Ivan Ristic
ModSecurity Handbook [http://www.modsecurityhandbook.com]
SSL Labs [https://www.ssllabs.com/ssldb/]

v2.23.0 | Report a Bug | By Email