EFF/iSEC's SSL Observatory slides available

Chris Palmer chris at noncombatant.org
Wed Aug 4 15:36:54 EDT 2010


"We have downloaded a dataset of all of the publicly-visible SSL
certificates, and will be making that data available to the research
community in the near future."

So, keep an eye on that page. The data is very useful. Many more interesting
conclusions remain to be drawn from the data; once it's out (I'm told Real
Soon Now), you can chew on it yourself and find things out that Eckersley
and Burns haven't gotten to yet.

Highlights from the slide deck are troubling:

* In addition to the implausibly large and diverse group of CAs you trust,
you also completely trust all the intermediary signers they they've signed.
Including, of course, DHS (slide 42). (See also: Soghoian and Stamm,
"Certified Lies".)  Windows and Firefox trust 1,482 CA certs (651

* Of 16 M IPs listening on 443, 10.8 M started SSL handshake; of those, 4.3
M used CA-signed cert chains (slide 14). Thus, the majority of servers use
"invalid"/invalid/self-signed certs.

* The invalid certs contain all kinds of bad stuff (see slide 16).

* The valid certs contain all kinds of bad stuff (see the rest of the slide

* CAs re-use keypairs in new certs to prolong the effective life (slide 28).

* Many CAs sign reserved/private names. Several CAs have signed e.g. That host is certified to live in many countries by many CAs.
One CA thinks its identity is the same as a public/routable IP.

* The single most often signed name is "localhost" (6K distinct certs for
that subject name). Many CAs have signed that name many times; a few CAs
only signed it once. This suggests many CAs don't even track the names
they've signed to make sure they don't get tricked into signing a name
twice. Never mind the fact that they shouldn't be signing private names in
the first place... A colleague of mine got a CA-signed cert for "mail".
Could that be a problem? :)

* Your browser trusts two signing certs that use a 512-bit RSA key (slide 32).

* The bad Debian keys are not dead, and 530 are CA-signed. 73 of the 530
are revoked.

I am, as you know, predisposed to interpret Eckersley's and Burns's findings
as damning for the entire trusted third party with no accountability idea
--- "Trent Considered Harmful". But even CA/TTP proponents must admit that
our current system has failed hard: in principle, and empirically. Any new
system must include a substantial answer to the numerous fatal problems
Eckersley, Burns, and Ristic have observed.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list