IP: SSL Certificate "Monopoly" Bears Financial Fruit
R. Hirschfeld
ray at unipay.nl
Fri Jul 19 06:04:49 EDT 2002
> Date: Wed, 17 Jul 2002 12:29:09 -0700
> From: Greg Broiles <gbroiles at parrhesia.com>
> What I find especially telling in the recent Security Space results is the
> breakdown by "validity" -
>
> Valid: 17833
> Self-signed: 5275
> Unknown signer: 13348
> Cert-host mismatch: 32536
> Expired: 35071
>
> .. so, less than 20% of the certificates that they find on SSL servers in
> use on the open Internet are functioning correctly as part of a PKI; even
> if we assume that every one of the self-signed and
> unknown signer certs servers are participating in undocumented or private
> PKIs such that their details are
> unavailable to surveys like this one, that's still only 40% of the visible
> SSL servers. The remaining 60% are apparently misconfigured or forgotten.
It could also be that a large chunk of the "Cert-host mismatch"
results are for alternate names of servers validly configured.
Also, it is not clear how multiple categories are counted, e.g., a
server with an expired cert from an unknown signer. Even if there is
no double counting, if servers are counted as "Unknown signer" or
"Expired" before "Cert-host mismatch", then multiple names for the
same host could also inflate the numbers for those categories.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list