[cryptography] Let's go back to the beginning on this

Ralph Holz holz at net.in.tum.de
Tue Sep 13 18:42:08 EDT 2011


> Is anyone aware of any up-to-date data on this btw?  I've had
> discussions with the browser makers and they have some data, but I
> wonder whether anyone else has any data at scale of how often users
> really do run into cert warnings these days. They used to be quite
> common, but other than 1 or 2 sites I visit regularly that I know ave
> self-signed certs, I *never* run into cert warnings anymore.   BTW,
> I'm excluding "mixed content" warnings from this for the moment
> because they are a different but related issue.

I run into it quite regularly, often on sites of non-commercial
organisations. Like universities. My favourite page so far said "Please
ignore the warning that will appear when you click next" (that was FU
Hagen, I believe).

That said, I can see in our monitoring data that about 20-60% of
certification chains are broken, and these are sites that people do
access (it is passive monitoring data from a large regional ISP).

In our scanning data, we find that only about 18% of certificates have
both a valid chain plus the correct hostname (wildcarded or not) in
their CNs or SANs.


Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20110914/9a635fc9/attachment.asc>

More information about the cryptography mailing list