|
|
|
|
|
|
| Search | ||||||||||||
| Vulnerabilities Alerts | ||||||||||||
|
||||||||||||
| IT Directory | ||||||||||||
|
||||||||||||
 | |
|
2010-07-02 14:47:34 | |
| According to a new study by the firm Qualys, only 3% of SSL certificates in use would be properly configured. Many dismissed the study, claiming the methodology was flawed. | |
|
Banking, online auctions, shopping, emails... We are seeing this HTTPS header in front of URLs ever more often, because SSL implementation is regarded as a means of securing private and sensible data such as personal information or financial data. But Ivan Ristic, director of engineering at Qualys, claims that nearly all those SSL-protected Web sites are not in fact properly protected.
"We have about 22 million SSL servers [out of some 23 million] with certificates that are completely invalid because they do not match the domain name on which they reside," he says. In its study, Qualys queried some 119 million domains on ports 80 (HTTP) and 443 (HTTPS, SSL), getting a response on both ports from 34 million of them. Of those that responded to port 443 requests, "about 23 million of the sites were actually running SSL," said Ristic in a podcast prior to the yet-to-come release of the full paper. However, according to the firm Comodo, these numbers cannot be right "because commercial Certificate Authorities have sold a substantially fewer than 23 million certificates." But how could Qualys have come up with those figures? Comodo provides a simple explanation: "For example, a webhost may host 100 domain names on a single IP address. Of those, just three sites are SSL enabled, while the other 97 are not. Qualys study would suggest that there are 100 SSL enabled sites with 97 domains misconfigured due to mismatch of the domain name. Yet, only three domains at that IP address are actually configured for the SSL certificate, while the remaining 97 are not configured for SSL at all."As Web sites such as eSecurity Planet report Ristic's sayings and his company's alledged findings, misinterpretation abound and such an "over-reporting of 'misconfigured' sites would be a disservice to the general public, could damage the reputations of ISPs, webhosts and Certificate Authorities, and ultimately, could have a detrimental effect on e-commerce," according to Comodo. Surely, there must be flaws in particular cases of implementation of SSL certificates, but when all facts are taken into consideration, we see that 22 million 'SSL-protected' Web sites being misconfigured is simply impossible. We will not know the full extent of Qualys's study and its final conclusions until the publishing of the paper later this month. In the meantime, Melih Abdulhayoglu, chief executive officer of Comodo, invites Ivan Ristic to clarify what has already been said: "Ivan Ristic is an experienced security researcher and is held in high regard by all at Comodo, but these interim figures paint an inaccurate picture of SSL deployment because they are not properly clarified. We urge him to review these figures before publishing or presenting this to an informed audience." | |
Reference 1: http://www.esecurityplanet.com/features/article.php/3890171/SSL-Certificates-In-Use-Today-Arent-All-Valid.htm
Reference 3: http://www.comodo.com/news/press_releases/2010/07/comodo-urges-qualys-ssl-market-study.html
Reference 4: http://tech.slashdot.org/story/10/06/28/2340237/22-Million-SSL-Certificates-In-Use-Are-Invalid?art_pos=37
No comment on this post.