ToolBox -

In an article titled “SSL Certificates In Use Today Aren’t All Valid”  posted at eSecurity Planet by Sean Michael Kerner it is asserted that only roughly 3% of SSL Certificates installed worldwide are operating in a fully functional manner. If this is true, this leaves about 22 million sites at risk. Is this really possible?

The source of this data is from Qualsys. The researcher Ivan Ristic claims that he used special software created for this purpose to attempt to contact approximately 22 million SSL servers in 2 days. In doing so, his software checked the connection by submitting data that would connect with port 443  (which is commonly used for HTTPS-, SSL-enabled websites).

His findings were that only about 3% of the sites he tested responded appropriately. Ristic  cited that it is considered to be a best practice that the name on the SSL certificate matches the name of the domain on which the SSL certificate is being used. Only about 3.17 percent of the domain names matched,” Ristic said. “So we have about 22 million SSL servers with certificates that are completely invalid because they do not match the domain name on which they reside.”

So, have millions of SSL Certificate purchasers wasted their money on certificates that are invalid?

Before you sue your Certificate Authority,  hassle your hosting company or become irate with IT…let’s take a look at a number of facts that this study does not seem to take into account.

  • The commercial CAs have sold nowhere near 22 million certs. So what the study is really showing is an artifact produced by ISPs trying to conserve IPv4 addresses. If they have 100 Web sites on the same machine and four of them have an SSL certificate, they will assign 4 IPv4 addresses and not 5. Each SSL site will share its IPv4 address with an average of 24 other, unrelated sites.
  • The study seems to ignore the popular use of shared IP address: For example, if you have a web server,  and for the purpose of this discussion we’ll say it has a few dozen name-based websites hosted on it. Just one of these site uses SSL for a shopping cart. If you “scanned” the server by domain name for SSL support as was described in the article, ALL of the name-based virtual hosted domains would “reply” because SSL is IP-specific, not domain specific, thus, with 25 domains, all would “support” SSL with mis-matched domain names and be flagged as failing the security test.
  • The study criteria doesn’t take into account self-signed certificates that are used internally where data encryption is the primary purpose of the certificate and not the site owner’s identity.

In the study’s defense, it should be noted that the handshake attempt that was initiated by the software DID fail the test as it was presented, so the numbers aren’t a “lie”, they are just presented in a manner that doesn’t really tell the whole story.

So, rationally speaking the findings of the study aren’t that 22 million sites are insecure as it seems to be  implied. More accurately, one could say that the SSL certificates in question didn’t work in the manner that today’s browsers would expect them too.