[cryptography] Let's go back to the beginning on this

Andy Steingruebl andy at steingruebl.com
Tue Sep 13 18:57:22 EDT 2011


On Tue, Sep 13, 2011 at 3:42 PM, Ralph Holz <holz at net.in.tum.de> wrote:
>
> That said, I can see in our monitoring data that about 20-60% of
> certification chains are broken, and these are sites that people do
> access (it is passive monitoring data from a large regional ISP).

Interesting.  Are you pulling the server-certs out of the SSL
handshake and then checking if they validate against any browser
store?

> In our scanning data, we find that only about 18% of certificates have
> both a valid chain plus the correct hostname (wildcarded or not) in
> their CNs or SANs.

This data, while interesting, doesn't tell us much about how often
users encounter those sites.  I much prefer data instrumented from
actual web browsers, or network traffic.

- Andy



More information about the cryptography mailing list