IETF Logo Mail Archive

Re: [TLS] Eleven out of every ten SSL certs aren't valid

aerowolf@gmail.com Wed, 30 June 2010 21:33 UTC

Return-Path: <aerowolf@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EF09E3A696B for <tls@core3.amsl.com>; Wed, 30 Jun 2010 14:33:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.021
X-Spam-Level:
X-Spam-Status: No, score=0.021 tagged_above=-999 required=5 tests=[AWL=-0.992, BAYES_20=-0.74, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 65pn5wxCCWPP for <tls@core3.amsl.com>; Wed, 30 Jun 2010 14:33:53 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by core3.amsl.com (Postfix) with ESMTP id D07603A6873 for <tls@ietf.org>; Wed, 30 Jun 2010 14:33:52 -0700 (PDT)
Received: by pzk36 with SMTP id 36so269347pzk.31 for <tls@ietf.org>; Wed, 30 Jun 2010 14:34:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:date:message-id :subject:mime-version:content-type; bh=WvO0WDUEMJqVquoadeuzWsJ9VDkM6no/kKMQ1tABY/M=; b=x7tXxccsOPWqies/kuMycye+Sc+4o1kWx53M+UG7srKjTTQGwwJZvUQp387cAB/UfG whN5ZSRe4/1f0/FktsfhmZuLoN6J8yn2QIDjLj7m0abOjzzpm00g9Pe6inkkI1AHh27K 1sq+1SUnN+FkoUW73GkPYQ08rcqFVFiXjUsIA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:date:message-id:subject:mime-version:content-type; b=d7F9dVzcHXk8IxPakqUklxSoutr3MelNelXLeTghMEEUyvvu9i9la6fNnqdCzGssjK +musY3ldt98ygg6r8NrvB8PWsPYf/bpur6T/jjTmNYkAcu5rkkiyGycj48AP7QWPa3y0 BIh6616etfvJdxNzsImZflXoJ7ZllMWqNXiKk=
Received: by 10.114.45.1 with SMTP id s1mr10713642was.18.1277933641153; Wed, 30 Jun 2010 14:34:01 -0700 (PDT)
Received: from [127.0.0.1] (c-76-103-146-6.hsd1.ca.comcast.net [76.103.146.6]) by mx.google.com with ESMTPS id t25sm57817691wak.10.2010.06.30.14.33.59 (version=SSLv3 cipher=RC4-MD5); Wed, 30 Jun 2010 14:34:00 -0700 (PDT)
From: aerowolf@gmail.com
To: Nicolas Williams <Nicolas.Williams@oracle.com>
Date: Wed, 30 Jun 2010 14:33:50 -0700
Message-ID: <gb2oorxycdn53kawezJYNxe982v3j_gmsm@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="gmsm0.4.7eqgb2ooyrp7a7cq0sak62"
Cc: tls@ietf.org
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 21:33:54 -0000


On Tue, Jun 29, 2010 at 2:24 PM, Nicolas Williams <Nicolas.Williams@oracle.com> wrote:
> On Tue, Jun 29, 2010 at 05:10:30PM -0400, Tim Dierks wrote:
>> On Tue, Jun 29, 2010 at 4:46 PM, Nicolas Williams <
>> Nicolas.Williams@oracle.com> wrote:
>> > The context was just how awful it is that 97% of servers don't have
>> > valid certs
>>
>> That is not what is being said. What is being said is that 97% of DNS names
>> that point at SSL servers do not validate with those DNS names. This is, on
>> its face, is a statement about DNS configuration, not about SSL servers.
>
> Ah, pardon my evidently too-cursory read.  I'd like to see a breakdown
> by HTTP/1.0 versus HTTP/1.1 then (since the latter supports
> virtualization while the former does not).

If you'd care to look at the Apache documentation on vhosts, you'll see:

As mentioned earlier, there are some clients who do not send the required data for the name-based virtual hosts to work properly. These clients will always be sent the pages from the first virtual host listed for that IP address (the primary name-based virtual host).

How much older?
Please note that when we say older, we really do mean older. You are very unlikely to encounter one of these browsers in use today. All current versions of any browser send the Host header as required for name-based virtual hosts.

>> (Creating a thousand DNS names for the IP address of a single SSL server
>> will change this stat, although the owner and operator of the SSL server
>> need not be involved in any way.)
>
> Right.  One might want to consider only all the names for any one server
> that come from the same zone file as the server's addresses' canonical
> domainnames.

...er, that would also cause a problem.  The CNAME that my externally-hosted virtual machine's IP resolves to is not one of my domains, but all of my domains point to the same virtual machine's IP.

>> To learn anything interesting about SSL servers at all, more work must be
>> done.
>
> In particular it's important to distinguish sites that serve HTTPS just
> because from sites that serve HTTPS because they really ought to, and
> from sites that serve HTTPS as part of being attack sites.

I serve HTTPS and I do not serve HTTP.  If I get an HTTP request I only RewriteRule (.*) https://my.vhost.name/$1 [R=301].

> If it turns out that 97% of sites that accept credit card payments have
> invalid certs (in some way or another), then we'd definitely have a
> problem.  I suspect that's not the case though.

I expect that this is a major move of "sleight of hand" to distract us from a more serious threat: that many sites that accept credit card payments have domain-validated certificates, with no true ownership information.

-Kyle H

v2.23.0 | Report a Bug | By Email