[cryptography] Let's go back to the beginning on this

Ralph Holz holz at net.in.tum.de
Tue Sep 13 19:09:15 EDT 2011


> Interesting.  Are you pulling the server-certs out of the SSL
> handshake and then checking if they validate against any browser
> store?

Yes, with the second operation offline and validating against the NSS
root store. I don't have a MS one at the moment, it would be interesting
(how do you extract that from Win? The EFF guys should know)

(Here's a privacy disclaimer, though: only statistics leave our monitor,
no certs, no connection data, etc.)

>> In our scanning data, we find that only about 18% of certificates have
>> both a valid chain plus the correct hostname (wildcarded or not) in
>> their CNs or SANs.
> This data, while interesting, doesn't tell us much about how often
> users encounter those sites.  I much prefer data instrumented from
> actual web browsers, or network traffic.

Well, yes, but it is the Alexa Top 1 million list that is scanned. I can
give you a few numbers for the Top 1K or so, too, but it does remain a
relative "popularity".


Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20110914/cb7723e2/attachment.asc>

More information about the cryptography mailing list