[cryptography] Let's go back to the beginning on this

Ralph Holz holz at net.in.tum.de
Wed Sep 14 03:13:21 EDT 2011


Hi,

>> Well, yes, but it is the Alexa Top 1 million list that is scanned. I can
>> give you a few numbers for the Top 1K or so, too, but it does remain a
>> relative "popularity".
> 
> How many of those sites ever "advertise" an HTTPS end-point though?
> Maybe users are extremely unlikely to ever see a link, etc. that
> points to their HTTPS endpoint.

Maybe, but I don't have any numbers on that. However, if someone wants
to do it: a simple way would be to download a site's start page and
check for HTTPs links in the HTML. Then go to that site, download the
cert and do the validity checks. Obviously, you're likely not in the top
1 million sites anymore then.

Actually, I think Ivan Ristic has done something similar for login forms:

http://blog.ivanristic.com/2011/05/a-study-of-what-really-breaks-ssl.html

Although his presentation doesn't give any numbers how often the
encountered certificates were valid (chain, host name) for the thus
protected login site.

Ralph

-- 
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20110914/aa92f662/attachment.asc>


More information about the cryptography mailing list