(No Ratings Yet)

Loading...

• Facebook
• Twitter
• LinkedIn
• Mail

September 7, 2010 Comments closed

SSL Certificates are in use today not all valid

in ssl certificates

It is no wonder that enterprise SSL security certificate is big business, taking into consideration how SSL certificates are considered as being on the frontlines of securing Web transactions from fraud. But the new data advises that SSL certificates are not all be configured correctly.

Qualys, a security research firm tries to paint a detailed portrait of SSL deployments and gaps with a new still under-development study which aims to provide a deeper level of information on the status of the SSL market than what is currently known. So far most industry intelligence on the subject came from Netcraft and vendor reports.

Qualys has scanned 119 million domain names in his study, but only 92 million domain names were active. Approximately 12.4 million domains could not resolve correctly and 14.6 million did not respond. Domains that are active who responded, almost 34 million responded to Qualys analysis on port 80 and port 443. Port 80 is generally used for HTTP, whereas port 443 is generally used for HTTPS, SSL secured Web sites.

Digging a deeper layer in active sites on port 443, Ivan Ristic, Director of engineering at Qualys, said in a seminar that he found that only about 23 million sites were running SSL Web.

SSL certificates can be generated for any domain name. It is considered as a good practice that the name on the SSL certificate is name of the domain to which the SSL certificate is used, although the Ristic’s research shows that this isn’t always the case.
“Approximately 3.17% domain names matched”, Ristic said. “So, we have approximately 22 million SSL server certificates that are completely invalid since they do not match the domain name on which they exist in”.

Identifying invalid SSL certificates

A talk set to deliver at the Black Hat USA Conference this summer, Ristic said his company had a SSL security audit of publicly available SSL service for some time. But, the Qualys SSL checker required that users came to the site to verify their own SSL status. With the new research conducted by Ristic, Qualys defined on the analysis of the Internet to gather information about how sites implement SSL.

As per VeriSign, there are currently approximately 193 million domain names. In terms of SSL, Netcraft reports that there are 1.5 million SSL certificates. Ristic has decided to focus its research on the total number of .com, .net, .org, .biz, .info and of .us domains, total 119 million domain names.

Ristic has explained that he built a virtual machine that was able to run 2,000 threads in parallel to scan millions of domain names. The whole procedure took him 2 days at a speed of 1,000 servers scanned per second.

“Hardware has nothing special – I use a virtual server in the cloud, and it is just a medium-sized box,” Ristic said. “The trick to why testing is fast is that it is only a few network packets that are exchanged, and it is enough to determine if the server on the other side is able to support the Protocol.”

As a part of full report that he works, Ristic said that he will make a more in-depth analysis of 720,000 SSL certificates he discovered in his initial analysis and considers valid SSL certificate. The plan is to collect data up to 300 on each SSL server to better understand how certificates are deployed and configured.