On 10/06/2010 05:04 AM, Kurt Seifried wrote:
Thanks for the information, Kurt (and indirectly, Eddy). I would like
to be accurate on this point and correct the story as necessary, but I
need help in ensuring I have the right information and understand what
it means, first.
Where did you get you numbers exactly?
Kurt, I gather your SSL data is from July's Defcon paper (available at
https://www.eff.org/observatory). For starts, could you folks explain
to me why the 4.3M sites with a valid certificate chain would be the
ones to look at (vs. all that offer an SSL handshake).
There are a lot of "Welcome to your new Apache 1.2" sites out there on
the Internet. TLS on TCP port 443 is by far the best way for end user
application to make outbound connections out of various firewalls.
Consequently, a lot of stuff is listening on port 443 that isn't really
a website. It's less likely to use a conventional trust chain.
Any real https can be expected to present a cert accepted by the major
browsers. Other things listening on 443 are mostly not relevant at all
to a web browser.
This survey:
http://netsekure.org/2010/04/most-common-trusted-root-certificates/
puts the certs "CN=plesk, OU=Plesk, O=Parallels", "e=webas...@localhost,
CN=localhost", "r...@localhost.localdomain, CN=localhost.localdomain"
all in the top ten most popular certificates.
Another good net-wide survey of port 443 is at:
http://blog.ivanristic.com/Qualys_SSL_Labs-State_of_SSL_2010-v1.6.pdf
- Marsh
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
