IP: SSL Certificate "Monopoly" Bears Financial Fruit
Greg Broiles
gbroiles at parrhesia.com
Wed Jul 17 15:29:09 EDT 2002
At 09:53 AM 7/11/2002 +0200, Stefan Kelm wrote:
> >
> > See <http://www.securityspace.com/s_survey/sdata/200206/certca.html> for
> > recent data re SSL certificate market share; Geotrust, at
>
>I sincerely doubt the numbers presented in this so-called
>"survey". How did they get to a number of only 91,136
>secure servers "across all domains"? There are a huge number
>of CAs, many of which offer certificates to the public
>(see http://www.pki-page.info/#CA). Even if most CAs will
>not have a significant market share those numbers would be
>different.
For another data point, see this Netcraft survey circa January 2001 -
<http://www.netcraft.com/surveys/analysis/https/2001/Jan/CMatch/certs.html>
.. it shows approx 108,000 secure servers (they don't total it, and I didn't
bother adding up all the CA's with 10 certs in use.)
Security Space's numbers for the same timeframe show that they found 58,117
servers - <http://www.securityspace.com/s_survey/sdata/200012/certca.html>.
I don't know if the difference means that, between Jan 2001 and Jun 2002,
Security Space has discovered the other 40,000 secure servers in use; or
if they always see a fraction of what Netcraft does. (Netcraft's current data
is available for a yearly subscription at 1200 UKP.)
What I find especially telling in the recent Security Space results is the
breakdown by "validity" -
Valid: 17833
Self-signed: 5275
Unknown signer: 13348
Cert-host mismatch: 32536
Expired: 35071
.. so, less than 20% of the certificates that they find on SSL servers in
use on the open Internet are functioning correctly as part of a PKI; even
if we assume that every one of the self-signed and
unknown signer certs servers are participating in undocumented or private
PKIs such that their details are
unavailable to surveys like this one, that's still only 40% of the visible
SSL servers. The remaining 60% are apparently misconfigured or forgotten.
--
Greg Broiles -- gbroiles at parrhesia.com -- PGP 0x26E4488c or 0x94245961
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list