Hi, > Is anyone aware of any up-to-date data on this btw? I've had > discussions with the browser makers and they have some data, but I > wonder whether anyone else has any data at scale of how often users > really do run into cert warnings these days. They used to be quite > common, but other than 1 or 2 sites I visit regularly that I know ave > self-signed certs, I *never* run into cert warnings anymore. BTW, > I'm excluding "mixed content" warnings from this for the moment > because they are a different but related issue.
I run into it quite regularly, often on sites of non-commercial organisations. Like universities. My favourite page so far said "Please ignore the warning that will appear when you click next" (that was FU Hagen, I believe). That said, I can see in our monitoring data that about 20-60% of certification chains are broken, and these are sites that people do access (it is passive monitoring data from a large regional ISP). In our scanning data, we find that only about 18% of certificates have both a valid chain plus the correct hostname (wildcarded or not) in their CNs or SANs. Ralph -- Dipl.-Inform. Ralph Holz I8: Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography