22 Million SSL Certificates In Use Are Invalid

darthcamaro writes "While SSL certs are widely used on the Internet today, a new study from Qualys, set to be officially released at Black Hat in July, is going to show some shocking statistics. Among the findings in the study is that only 3% of SSL certs in use were actually properly configured. Quoting: '"So we have about 22 million SSL servers with certificates that are completely invalid because they do not match the domain name on which they reside," Ivan Ristic, director of engineering at Qualys, said.'"

Two reasons for SSL

[EconomyGuy]

Two reasons for SSL: verification and encryption. Sure, if the domains don't match you don't have verification, but the communication is still encrypted, and if you happen to control both ends of the exchange, that's all you need.

Re:Two reasons for SSL

[marcansoft]

Unfortunately, all the browser vendors decided to implement this backwards and instead throw around ridiculously alarming warnings at the user if you dare use SSL for encryption only, and not verification.

You know, instead of the sane thing, just dropping the lock icon or otherwise indicating diminished (but not nonexistent security). Find that a non-expiring cert changes or a page with a verified SSL cert suddenly has a non-verified SSL cert? Then scare the living hell out of the user.

Re:Two reasons for SSL

[QuantumG]

So you want defense against snooping but don't care about defense against MITM attacks. Fair enough, I'm all for raising the bar, but don't be lured into thinking your communication is secure.

Re:Two reasons for SSL

[Deorus]

The worst is when they even force users to add exceptions just to watch random websites (Firefox, I'm looking at you). Now not only do I have to deal with the annoying warning blown out of all imaginary proportions, but I'm also adding an exception to a random website just because I want to browse it once in a life time that I may never remember to remove in the future and may cause real security issues later.

I really can't understand what's so wrong with temporary exceptions...

Re:Two reasons for SSL

[marcansoft]

It's considerably secure if your browser caches the certificate and puts up a warning if it changes. Then you need to be MITMed on your first visit for it to be effective, and then it has to keep up or you'll notice.

This is how SSH verification works, and I don't see many people getting MITMed, even if you don't usually check the fingerprints.

Re:Two reasons for SSL

[LordKronos]

So you want defense against snooping but don't care about defense against MITM attacks.

Yes, that's exactly what I want as the minimum requirement. Snooping on traffic is incredibly simple to do, and can really be done easily by anyone at any point along connection path. You just start up a packet sniffer, grab random packets, and wait until you catch something interesting. You don't even have to catch an entire session. Successfully pulling off a MITM attack is MUCH more complicated...requiring something trickier, such as hijacking DNS. You can't just be at any random point along the chain and perform the attack on any random connection coming through.

It's like a lock on my front door. I don't delude myself into thinking that nobody can get into my house, but the lock is a safeguard against the easiest attack vector.

Re:Two reasons for SSL

[seifried]

Invalid argument: Free SSL certificates: http://cert.startcom.org/.

Re:Two reasons for SSL

[QuantumG]

Your view of both sniffing and TCP hijacking seems to come from the mid-90s. I recommend reading up on both the improvements of switched networking and on the active techniques developed to defeat them. But yes, MITM is harder to get right, just as these techniques were harder to develop than just turning the network adapter to promiscuous mode.. but once they're developed, it's just a tool that anyone (or bot) can wield.. and they have been already.

Re:Two reasons for SSL

Even better when (yes, Firefox again!) the exception you are required to add ALSO changes the security mode used for Javascript! Sites you add exceptions for run as a Trusted Site and have elevated privileges.

Re:Two reasons for SSL

[marcansoft]

The Certificate Patrol extension for Firefox will. It'll tell you when a certificate changes and whether it should (e.g. whether it was near its expiration, and whether the issuer has changed).

Re:Two reasons for SSL

[DragonWriter]

Two reasons for SSL: verification and encryption. Sure, if the domains don't match you don't have verification, but the communication is still encrypted, and if you happen to control both ends of the exchange, that's all you need.

If you don't control the whole path between (in which case, you probably don't need encryption), the absence of verification renders encryption pointless.

If you control both ends, there is no reason not use valid certificates (both matching the domain and signed by a CA -- your own, if nothing else).

Invalid certificates of the type at issue (not matching the domain) usually mean you've bought a certificate from a commercial CA, and are using it on a domain other than the one you've bought it for, possibly because you have different domains that resolve to the same address (domains with and without "www." prefix where both use the same certificate that is intended to have the "www." prefix are the most common ones I've personally encountered on the web.)

Re:Two reasons for SSL

[apparently]

The worst is when they even force users to add exceptions just to watch random websites (Firefox, I'm looking at you). Now not only do I have to deal with the annoying warning blown out of all imaginary proportions, but I'm also adding an exception to a random website just because I want to browse it once in a life time that I may never remember to remove in the future and may cause real security issues later.
I really can't understand what's so wrong with temporary exceptions...

Firefox allows you to make temporary exceptions; you're just not doing it. When you click on the "Add an exception" button, followed by the "Get Certificate" button, there's a checkbox with the text "Permanently store this exception". Guess what happens if you leave that box unchecked and click the "Confirm Exception" box? A temporary exception is made.

Re:Two reasons for SSL

[izomiac]

Most people couldn't even tell you who the trusted certificate authorities were on their browser. From there, I'd say the number of users who personally trust all of them approaches zero. Knowing that you're connecting to the same entity on every connection would prevent most MITM attacks.

Of course, ideally, we'd verify the certificates over physical means. Until there's an easy way to do that you always run the risk of connecting to an impostor. OTOH, people are happy to give money to a random company (e.g. VeriSign) that promises security without requiring any change in behavior.

Re:Two reasons for SSL

[bunratty]

The last I checked, startcom certificates are not recognized as valid by Firefox. I purchased a five-year certificate from rapidssl.com for $60 a few years ago, and the certificate is recognized as valid by all major browsers. The cost is minimal.

Re:Two reasons for SSL

[no-body]

It's a money making scheme - if you look at the "fees" one has to shell out for certificates - has absolutely nothing to do with effort necessary to provide a certificate.

Part of the great pyramid where all the money is rising upwards to a small top, partially fueled by the - is it the dripping down - or trickling down - fantasy.

Verisign must have severely lobbied (greased) the browser vendors...

Certs should be issued by the government, like passports - for a reasonable fee. Probably a dud in US where free market rules with great results as one more and more can see.

Re:Two reasons for SSL

[dgatwood]

They've been supported for a while now, at least in Mac OS X. (I qualify that because I'm not 100% sure they don't pull in the OS's trusted roots.) Point Firefox at https://www.gatwood.net/ if you want to confirm it for yourself.

Re:Two reasons for SSL

[seifried]

You need to install the intermediate Startcom SSL certificate on your web server but that is easy and extensively covered in the documents. Again, there is NO excuse.

Re:Two reasons for SSL

[forkazoo]

Firefox allows you to make temporary exceptions; you're just not doing it. When you click on the "Add an exception" button, followed by the "Get Certificate" button, there's a checkbox with the text "Permanently store this exception". Guess what happens if you leave that box unchecked and click the "Confirm Exception" box? A temporary exception is made.

It is technically possible, but when it is hidden behind so much terrible UI, it barely matters that the feature technically exists. Most users would rather have their identity stolen than have to wade through that mess. Frankly, losing all of your money, and spending years sorting out the consequences of identity theft is a lot more convenient than the Firefox cert warning UI.

Re:Two reasons for SSL

[mysidia]

Actually it's checked by default, when you click 'get certificate'

And many times i've found after unchecking the box and going to hit the 'Confirm' button... it rechecks just after hitting confirm, and closes the window with a permanent exception added, despite my attempt to only add a temporary one.... very annoying Firefox...

Re:Two reasons for SSL

[mysidia]

Yes... it was a total disaster... fortunately, in the future DNSSEC should make SSL certificates obsolete.

If we can publish digitally signed records in the DNS, which are verifiable with the registrar, it's not too farfetched to say define a signed TXT record which will contain public key information for the web server.

Re:Two reasons for SSL

[complete+loony]

Lots of ISP's already run a transparent proxy to redirect port 80 traffic through their cache. Adding a MITM SSL proxy to this setup would be trivial if all clients blindly trusted the connection.

Re:Two reasons for SSL

[dwillden]

No the worst is trying to use a military computer (means only IE) to hit military sites, and having to approve half a dozen exceptions each time you visit a new page.

They seem to be unable to use standard certificates or even attempt to register them with internet registries. The best is working on a classified network. And getting "WARNING!!! This page may be unsafe! WARNING!!!" notices on an entirely closed and encrypted network.

Re:Two reasons for SSL

[0123456]

Unfortunately, all the browser vendors decided to implement this backwards and instead throw around ridiculously alarming warnings at the user if you dare use SSL for encryption only, and not verification.

There is nothing at all insightful about that post. If I go to connect to www.mybank.com and instead my connection is hijacked to xyz123.fubar.ru then I sure as hell want my web browser to scream and shout that the connection is invalid.

Not having my banking logon details stolen is a metric fsckload more important than people being able to log on to uncertified sites without adding an exception.

Re:Two reasons for SSL

[marcansoft]

If you connect to your bank through HTTP (and aren't redirected), nothing will save you from an attacker stealing your bank details unless you notice the lack of a lock icon indicating an SSL connection. This is exceedingly likely if, say, Joe Average user just types www.bank.com in his address bar and an attacker hijacks his connection and replaces the usual redirect to HTTPS with a man-in-the-middle attack on the bank.

Therefore, it makes zero sense to throw huge warnings for untrusted certs and yet do nothing for plain old unencrypted HTTP.

The only sane way to implement SSL warnings is to use memory. This gives you increased security (why did ChinaSSL suddenly start providing my bank's certificate? Right now, if that happens, you're 100% screwed) and avoids annoyances (no huge four-click warnings if you visit a site for the first time and its certificate is not verified by a CA).

Right now we're in the ridiculous situation where the least secure connection (HTTP) is given preferential treatment over the somewhat secure connection (unverified HTTPS), and yet the most secure connection (verified HTTPS) is both less secure than it could be (no sanity checks, if any CA signed it then it's good) and can be trivially downgraded to insecure HTTP, depending on the user's browsing habits.

This nonsense prevents widespread adoption of HTTPS for personal and noncritical sites. If browsers shipped with something like Certificate Patrol (tweaked for user usability instead of paranoia, avoiding dialogs during "normal" situations) and ditched the stupid warnings for untrusted SSL certificates (if they've never been seen using a trusted cert) it would go a long way towards encouraging the use of HTTPS and the Web would be a much safer place as a result.

Right now, if you go connect to www.mybank.com (which defaults to HTTP) and your connection is hijacked, unless you notice the lack of a lock icon, you're screwed. This is no worse than having an unverified SSL cert served and having the browser not display the lock icon as a result. It's definitely worse than the proper implementation, where the browser would warn you of an unencrypted connection that's usually encrypted, or having an unverified SSL connection that was previously seen as verified.

Re:Two reasons for SSL

[mcrbids]

It's a money making scheme - if you look at the "fees" one has to shell out for certificates - has absolutely nothing to do with effort necessary to provide a certificate.

I'm guessing you think the "effort necessary to provide a certificate" is not much more than the cost of computing the hashes for the certificates, right? Everybody knows that OpenSSL is free, open-source, and is available on a freely downloaded Linux ISO and burned to a $0.10 blank DVD, right? And a $25 P4 could calculate thousands of these hashes every hour!

As somebody who almost became a Certificate Authority, I can say that it isn't all that easy. Most of the problem isn't technical at all. In fact, the technical part is basically insignificant. Most of the problem lies in certification, and much of that lies not in the technical and/or organizational solutions, but presenting the technical, organizational, and financial solutions in a way that can be independently verified. (yes, financial too - would you trust a CA that wasn't profitable?)

Do you do backups every night? Maybe you do, but can you prove it? Who does the backups? How do you make sure the backups were done? How do you guarantee that the backups are only handled by qualified personnel? How have you qualified the personnel? How do you handle a failure scenario, or worse, a disaster scenario? In the event of a disaster, how do you *still* ensure that only qualified personnel handle the backups and/or data?

And on, and on, and on. It's a much tougher problem than you could possibly imagine. For our small company (~15 employees) we figured it would cost us between $50,000 and $100,000 to get the necessary audits and certification done, including implementation, to become a certified Certificate Authority. The costs get worse and more expensive as you scale upwards.

Even at $100/certificate, it takes a *lot* of certificates just to break even. I'm not saying that Verisign et al aren't highly profitable, I'm just saying that the reasons they are there are good reasons, even if they are somewhat guilty of gaming the system a bit.

Re:Two reasons for SSL

[Lincolnshire+Poacher]

> I purchased a five-year certificate from
> rapidssl.com for $60 a few years ago....
> The cost is minimal.

It's not just a cost issue, it's the principle.

You bought a "five-year" certificate. Why does it expire in five years? Does it spoil like milk? Do the bits wear with repeated use? No, it's a scam. RapidSSL don't have do do a single thing after generating the cert other than awaiting your next payment.

According to:

http://www.rapidssl.com/buy-ssl/index.html

they will sell us a "wildcard" cert for the low-low price of $796 for five years. So I correct myself; it's the cost AND the principle.

Re:Two reasons for SSL

[fyngyrz]

Certificates don't ensure you're talking to anyone in particular, other than someone who has managed to get their hands on the certificate, which, based on prevalance of rooting and etc., could be quite a range of people.

Certs reliably encrypt traffic between the two endpoints. That's the entire usefulness to the two endusers.

HOWEVER: An entire deceptive financial ecosystem was created when the browser manufacturers put those "scare the heck out of the user" dialogs in there; that meant that ecommerce types *HAD* to get certs that would not raise those warnings -- meaning, buying a bag of bits from someone else, a bag you could have made yourself for free, for all the good it would do you, instead purchased for $50 (or many more) dollars.

It's all based upon one key falsehood: The idea that a cert "assures" you that you're talking to someone in particular. As opposed to the guy who physically walked up to the machine while root was logged in, lifted the cert, and walked away. As opposed to the guy who rooted Apache or Postgres or etc., went in, lifted the cert AND the access to the DNS server, and disconnected. As opposed to the guy who has rooted the DNS elsewhere and has your cert.

It's 100% pure bunk. Certs encrypt. Probably not from the government, but from your average hacker, yeah, they generally succeed in making traffic look like a mess of indecipherable bitrot. That's all the actual service they're good for. That, and keeping browser warnings from ruining your attempt to do e-commerce. Just remember: The latter problem was *caused* by the browser writers in collusion with people like Verisign. The problem didn't exist until they put their heads together.

Reminds me very much of the government's war on drugs. The violence, the killings, the black market... 99.9999% a consequence of stupid, stupid rules, every one of which the government is entirely responsible for. Here, every scared consumer was created by the certificate "authorities" in conjunction with the browser makers. They created a fear of a non-issue so strong that everyone was forced to get in line and pretend (or be bewildered into thinking) that the threat was resolved with the purchased certificate, when that is utter bunkum from start to finish.

Re:Two reasons for SSL

[amorsen]

the reason 5 years is a bad idea is, because the bits can get guessed (brute force). This usually takes a lot of time, but it doesn't have to be and you should use a new one pretty much every year.

That is ridiculous. If you're afraid of brute force, use longer keys.

As it is, people use the same private/public key pair for the next CSR anyway, so expiry doesn't protect you from brute force anyway.

Re:Two reasons for SSL

[forkazoo]

You folks all know why this is right ? I mean what is the use of SSL-encryption if you don't know who your 'talking' to ?

Yeah, because talking to somebody whose identity I can't be sure of over an encrypted link is *soooo* much worse than talking to somebody whose identity I can't be sure of over a link that can be trivially sniffed. That's why telnet is better than SSH.

Which would be semi-significant if having a "proper" SSL cert actually gave me an iron-clad guarantee that I was talking to who I thought I was talking to, which it naturally can't.

Re:Two reasons for SSL

The proper way to do this is by IT adding a custom CA root certificate into every deployed computer, and signing all of the individual private site certs with that cert.

Re:Two reasons for SSL

[PowerKe]

Don't click the 'Get certificate' button. Once you click 'Add exception' and the pop-up is shown, Firefox is already retrieving the certificate. When it has retrieved the certificate, the 'Permanently store this exception' box is checked. If you click, 'Get certificate', the process starts over again. So what happens is that you uncheck the 'Permanently' checkbox and the 'Get certificate' process will re-check it again just before your click on the 'Confirm' button is processed. Indeed, very annoying.

Re:Two reasons for SSL

[Securityemo]

The techniques behind ARP spoofing and DNS spoofing are quite simple, if you understand the protocols involved. And the automated tools (Ettercap et al) are so good and easy to use that people use them for office pranks.

Re:Two reasons for SSL

[bunratty]

CAcert withdrew their request for their root cert to be included in Firefox. Talk to CAcert about it.

StartCom free SSL certificates now seem to work in Internet Explorer, Firefox, and Outlook out of the box. It looks like they're the best bet for free certs that won't display warnings in popular products.

Re:Two reasons for SSL

[Klaruz]

'the army' isn't one big magical network, it's actually hundreds of separate AD domains, and there is more than one branch of the military, some fly planes, some sail ships, some get shot at, they all have different ways of finding people to manage those AD domains. Some suck, some don't. I can tell you those that don't suck do indeed install the correct certificate authorities.

Re:Two reasons for SSL

[ArsenneLupin]

That's why telnet is better than SSH.

On first connection to a given server does provide the server key's fingerprint, which you can (and should) verify against a reference obtained out of band.

And if ever the server's key changes later on, the client will warn you very loudly about it.

So ssh does give you some assurance that you are talking to the server you think you should be talking to.

Of course, somebody could still have rooted the server, or the server admin himself could be shady, but to protect against these is not the purpose of the certificate (even though it is frequently misunderstood as such).

Re:Two reasons for SSL

[ArsenneLupin]

That's why browsers are starting to add things like ForceTLS, which will add an interface so you can tell the browser to only visit a site with SSL

Those users most likely not to notice the lock icon will not know about this, and not know for which site they'd need to set this.

and for the website to the tell the browser (for a fixed time) to visit the site only with SSL.

Many big sites use SSL only on certain pages. So either the protocol's granularity is the domain, and those sites are screwed (either can't use the feature, or incur the SSL overhead even on those pages that don't need it), or the granularity is finer (precise URL within site) and the man-in-the-middle will just set up a fake login on a URL in the domain that is not marked "SSL only".

And many large sites (Facebook, I'm looking at you) don't care about making it obvious to users that they use SSL: the default login form is on a plain HTTP page, and even though the submission URL is actually SSL, there is no easy way (short of view source) for the user to check that this is (still) the case.

Case in point: a while back, a friend of mine asked me to help him find out his estranged wife's Facebook password. He still had control over her Internet router. We set up a man-in-the-middle which just patched the Facebook login form to submit over plain HTTP rather than HTTPS, and she didn't notice anything...

Re:Two reasons for SSL

[arose]

I'm aware of the mess most SSL authorities are. Just amused by the notion that somehow the rubberstamping is worth $60 (cheap even!).

Duh

[afidel]

Virtual hosts mean if you just do an IP scan you will likely run into an SSL site that doesn't match the first URL associated with an IP.

Re:Duh

[NNKK]

Virtual hosts mean if you just do an IP scan you will likely run into an SSL site that doesn't match the first URL associated with an IP.

Wish I had mod points. I was about to post the exact same thing.

Even ignoring servers hosting multiple distinct sites (e.g. at a typical webhosting company) on one IP with some sort of management interface behind SSL on port 443, sites are often configured with their "secure" portion behind a different vhost, but the same IP (e.g. http://example.com/ may point to the same IP address as https://secure.example.com/, but you're still going to get an SSL-secured response from https://example.com/, just not the one you might expect).

One can make reasonable arguments that these might not be ideal configurations, but they don't present the serious practical problems implied by the article.

Re:Duh

[Pharmboy]

Also, every dedicated server has SSL for logging in (Server Beach, etc.), and the certificate never matches the domain, typically localhost.localdomain or similar. If you aren't doing actual ecommerce, then there is no reason to buy a certificate if you can instead just create one or use the self generated one, and either ignore the warning on your client, or install the certificate on the client as trusted (one mouse click). So to this "poll", it would appear to be incorrect, although it is perfectly fine and secure for the purpose it is being used for.

Re:Duh

[man_of_mr_e]

Indeed. I bet there is a very large percentage of these "misconfigured" SSL certs that are in the list for this very reason. Just because you can get to an IP by a given domain name doesn't mean that's the domain it's intended to use SSL with.

Also, think about all the millions of firewalls and routers out there with enabled WAN access and a bogus ssl cert just to make it work. Think of all the development servers, think of all the self-signed certs (which whould show up as invalid to the researchers because they're not configured to accept the self-signed cert).

I would highly doubt any mroe than 20% of those "misconfigured" servers are actually misconfigured ssl certs for real sites.

Re:Duh

[durdur]

It is not secure if you can't verify the host you are connecting to. Having a valid certificate that matches the host helps ensure that you haven't connected to some rogue site that is masquerading as or acting as a proxy to the site you think you are connecting to. That is not as unlikely to happen as you might think.

But it not only end users who decide not to care about this. As other posters have noted, it costs money to be compliant. It also costs some time and trouble to generate and set up a proper certificate chain. And the perceived cost of not doing this is small - it still works, just click on through the warnings. But there's still a cost - maybe a big cost if an successful attack is launched against the site.

Non-browser apps that are SSL clients also frequently fail to verify host certificates, because their developers are too lazy to implement it and/or not security conscious enough to consider it important.

Almost completely useless as a result.

[Gavin+Scott]

This week I'm helping a customer with some remote testing with a large hosting company who provides remote system console access via a Java/Web thing.

They sent me a PDF with the instructions for logging in that have a couple pages dedicated to telling you how to ignore the fact that all their certificates are expired or simply invalid, and tell you to check the "Always trust content from this publisher" box in order to eliminate the need for one extra click.

How can we ever expect to get any use out of this stuff if we're constantly training the users to ignore everything the security software is trying to tell them?

It seems to be considered completely acceptable behavior by very large well-known companies too.

G.

Re:Almost completely useless as a result.

[kimvette]

Why pay for a root-issued certificate when a self-signed one will do perfectly well when it's a known-safe server accessed only by a few authorised users? Just click through the "add exception" or "install certificate" dialog and be done with it.

Re:Almost completely useless as a result.

[Alwin+Henseler]

How can we ever expect to get any use out of this stuff if we're constantly training the users to ignore everything the security software is trying to tell them?

We can't, and we shouldn't. When users regularly see warning messages that are abacadabra to many of those users, the effect is predictable (and well understood): user won't read warnings anymore, and just do whatever is most likely to make the warning disappear.

At that point, you're just wasting user's time, making sure that genuine serious events dive below the radar, and waste system resources / application code (warning dialog boxes, etc) that doesn't get you any real-world gain. Which means that overall, you're doing worse than if you had just silently ignored those warnings.

If you want secure: make it work, solid, and easy to use. If that's too much to ask, better forget about it - a half-baked feeling of security is worse than being aware of its absence.

So an obvious better solution would be to handle invalid/broken security tokens for what they are (non-secure), and don't bother users with it other than small (visible) clues that could be checked by users who care and/or know what they're doing. Eg. expired SSL cert in a browser session -> no warning dialog, show URL like regular URLs in address bar (vs. special markup used for secure connections), and open/no lock icon in status bar.

Re:I don't need to confirm my own idenity.

[quenda]

but why do I need to check my own ID?

MiTM attack. e.g. using an internet cafe, which installs a transparent SSL proxy and can monitor all your transactions. Its OK if you have your own browser device, and previously installed your SSL certificate over a secure channel. But if you get the 'stop sign' over an insecure channel, take it seriously. They don't need to clone your server to compromise you, just a man-in-the-middle.

Methodology?

[dachshund]

That number seems high. I've seen many cases where a server is configured both at the correct address (say, www.foobar.com) and at another address which is not embedded in the cert (foobar.com). Depending on how you access the site you'll either get a perfectly valid cert or an invalid certificate message.

While a setup like this is improperly configured, it may not matter that much. If nearly all visitors access the site via the correct domain name, the SSL cert is probably doing its job.

No Big Deal

[harryjohnston]

"Only about 3.17 percent of the domain names matched," Ristic said. "So we have about 22 million SSL servers with certificates that are completely invalid because they do not match the domain name on which they reside."

If you think about it, though, all he really knows is that the certificate does not match the domain name he used to connect to the server, which may not be the domain name which is meant to be used. The obvious next step would be to attempt to connect to the name given by the certificate, which might well point to the same actual site. Of course, it might be a name that is only valid for an internal network, not on the internet as a whole.

There are also lots of contexts in which a web server includes a default (usually self-signed) certificate with a generic name out of the box - typically web servers used for management of a software or hardware device. If the users don't need SSL, there's no reason for a "valid" certificate to be installed.

In short, he's using the phrase "in use" poorly; the fact that a server responds to an SSL request with a particular certificate does not mean that the certificate is "in use" in any meaningful way.

(These figures might be more meaningful if he had excluded self-signed and locally-signed certificates, looking only at those generated by a known certificate provider. Because they cost money, the latter are more likely to have been intended for actual use, although the actual use still might use a different URL than the one you are scanning.)

MS Exchange and SSL

[DigiShaman]

In the Microsoft world, SSL Certs are primarily used for Sharepoint, Exchange Webmail, Outlook Anywhere, and Exchange ActiveSync for iPhone, Droid, and other PDAs. You can't configure them wrong or you'll know immediately that the implementation is broken. So how in the hell can we have 22 million invalid certs?

i.e. 22 million virtual sites

[Culture20]

22 million virtual sites sharing IPs where only one site on an IP really needs the SSL, and the other sites weren't configured to only listen to the http port(s).

Duh

[nickdwaters]

Most people don't care. How many commerce engines are running in the background handling transactions? As long as the point to point transaction is "secure", who cares if its linked to the domain. The vast majority of people running mom and pop shops, or even in the tech industry doing dev / testing, don't care about tying certs down to a domain because they use lots of domains / change often and its a pain and viewed as a waste of time to manage all of them.

It's all too hard

[countach]

When it was my job to install SSL certificates, understanding it, buying the right certificate and installing it was freakishly difficult. Everyone from the certificate issuers to the server software providers needs to get together and simplify the whole process.

Re:I don't need to confirm my own idenity.

[TooMuchToDo]

For that you should be using the Perspectives Firefox Add-on. It checks with several notary signatures if the SSL key looks the same from everywhere. If it doesn't, it flags it.

Mod parent up

[AusIV]

Encryption without authentication is pointless. There are readily available tools that will allow a script kiddie to man-in-the-middle SSL communication with just a few clicks. This can be done from the same wireless network, physical network, or at any node between the source and destination hosts. Encryption without authentication is nothing but a false sense of security.

Re:Mod parent up

[AusIV]

Maybe you're not talking to the entity you thought you were talking to without verification, but at least only the party on the other end can read your message.

Any party along the way can read your message if there's no identification. If I'm trying to talk to https://example.com/ without identification while any node between me and example.com is compromised, that node can establish an encrypted connection with example.com and an encrypted connection with me. I send the attacker encrypted data, the attacker decrypts it, logs it, re-encrypts it for example.com, and forwards it along. This does require an active role, but there's no reason to assume someone who wants to steal your data is going to assume a passive role. As I stated in my last post, you can take an active role simply by being on the same network (wireless or otherwise) as your victim.

it's foolish to say there are no advantages over totally unencrypted traffic in these days when our ISPs sell our personal data and governments are increasingly monitoring Internet traffic.

But encryption without identification offers little practical advantage in this case. Your ISP could man-in-the-middle your HTTPS connection, collect data, and continue selling your personal data.

Why can't the browser just encrypt things and make no claims about identity verification?

They tried this for years, and users kept giving up sensitive data to phishers. Most users don't check for the lock or identity information like they should. The current approach that browsers are taking puts more control in the hands of the destination website. If the web server is requiring an HTTPS connection, the browser assumes the connection needs to be secure. If the HTTPS connection doesn't provide identity information, it is susceptible to man-in-the-middle attacks and cannot be considered secure. Since the web server is effectively saying it requires a secure connection, and the browser cannot consider the connection to be secure, it tells the user that something is wrong and they should take extreme caution if the choose to proceed.

Epistemology, bitches!

[zippthorne]

It's the distribution, stupid.

A self-signed cert that you just click "accept" for is worthless. It could've been useful, if you'd transferred the cert out-of-band and added it directly to the trusted list, but if you're fetching it off the internet, you've no idea whether the cert you're getting is the real one or not.

CA's are a tool for consolidating the certificate transfer process. Instead of having to manually install every certificate, you really only need to manually install through some trusted process, a single certificate that can sign all the others (presuming you have reason to trust their reasons for trusting)

Of course, nobody does that either, and using the certificates built-into a browser you downloaded insecurely is just as dumb as using self-signed certs off the net without any out-of-band component....

Qualys = Security for Dummies

[Gothmolly]

We had a decent Infosec guy at our shop, then he left the group, and they bought a Qualys scanner. Now I get chimps telling me that I might be affected by an Apache 2.0 bug, and so I'm vulnerable. I ask what the bug does, and nobody can say, other than "The Qualys test failed". Great. If I send in enough box-tops, can I get my CISSP too?

Exactly

[Frosty-B-Bad]

Funny, when Firefox went to the new style of annoyance (three step process) I made a post on the message boards to go back to the older style where it just prompted that it was invalid, click okay and you kept going. The devs/admins/users blasted back about how it was needed, how it helped, etc, and just as told them (a year + ago), finally research shows that most certs are invalid and out of date, but thats allllright because I quit using FF. It just scares me that the people that are smart enough to be involved with the programming and management of one of the most used web browsers have no insight to how the web is operating beneath them, don't they ever surf outside the mozilla domain? Weird.

Sounds like flawed assumptions to me

[scdeimos]

Many moons ago, when I worked for a web hosting company, they had Host Header servers for the low-cost customers.

A given server may have hosted up to 1,000 customer sites all on the one IP address by using the Host header introduced in HTTP/1.1 on tcp/80 (http), but they still had a single SSL certificate representing the server itself on tcp/443 (https). A reverse DNS lookup on the hosting IP returned the server's FQDN, which matched what was on the SSL cert's CN. Apparently this was something commonly done in the web hosting industry due to the ever-decreasing pool of IP addresses (this was in the days before TLS/SSL had mechanisms for clients to request a given certificate CN during the negotiation phase).

I wonder... did the discussed tests perform a reverse-DNS lookup on the web site's IP address before trying to connect to the https port? Was the result of that reverse DNS lookup used to compare against the SSL cert's CN, or did the test blindly assume that the CN must match the original site's FQDN?

Worthless article written by total idiots...

Think about their conclusions for a second. They are saying the SSL certs are worthless because the CN does not match the hostname. Why would millions of sites continue to pay ~$100 each year for a cert that will spout scary warnings in ALL browsers when their customers visit their web site? Surely this number of commercial organizations are not being that retarded so there must be an alternate explanation. Namely the author of the article and or Qualsys are total morons who are wasting our time.

Of those systems they reached how many happen to have multiple DNS records pointed at them and the domain they tried would never be used by any human person actually accessing resources of a site?

Of the systems they reached how many have a valid certificate chain? (IE were actually signed by a well known CA) vs certs that just have ssl certs installed by default with web servers or web based application servers?

How many times do you go to your bank or shop for something online or check your email and experience a cert CN/hostname mismatch error? I would be willing to bet that for most of us the answer is very close to 0.

Not certificates, the Browsers are invalid

[roman_mir]

Just discussed that here a little while ago.

Certificates may actually be perfectly valid without using the same host name as shows on the Internet, many people already gave reasons for that here on /. in this story.

I want to add that it may be that the wrong side here is the browser, not the certificate.

Treating a site that does not do https and sends data in clear text with no contempt, while treating sites that use self signed certificates as if those are broken criminal sites?

It's like treating clear text passwords (and other data) better than passwords sent over https.

Shows a clear agenda on the part of browser producers - create more revenue for the "signing authorities". Well, who are these signing authorities, how do we know they can be trusted, and what kind of a security theater is this - paying someone so that you / others can trust them? Makes no sense, the entire concept is borked.

Sites need to publish their fingerprints clearly and browsers need to behave properly - at maximum give a warning that the cert is not registered with a CA, but do not try to prevent people from using the site!

Since encryption isn't actually affected....

[Tomsk70]

We're expected to shell out thousands to SSL 'companies' whose job it is to confirm what we already know. Especially the likes of GoDaddy, who wanted more info for my domain than I need to get a passport, bank account, driving license, pretty much anything else. The result? Bugger off, don't need it anyway. Now repeat into the millions.

It doesn't help that Exchange and IE both scream about SSL Certs - it's just one more thing people ignore.