I've finally found some time to analyse the data from last months scan to see what happens when additional roots are removed[1,2].
The scan took place between 11th and 19th of July 2014. Sites scanned are taken from Alexa top 1 million sites as of 11th of July. Overall, the certificate stats look like this: Statistics from 440559 chains provided by 585568 hosts Server provided chains Count Percent -------------------------+---------+------- complete 363296 62.0416 incomplete 29441 5.0278 untrusted 192831 32.9306 Trusted chain statistics ======================== Chain length Count Percent -------------------------+---------+------- 2 2385 0.5414 3 428839 97.3397 4 9314 2.1141 5 21 0.0048 CA key size in chains Count -------------------------+--------- ECDSA 256 3 ECDSA 384 3 RSA 1024 1718 RSA 2045 1 RSA 2048 868749 RSA 4096 17615 Chains with CA key Count Percent -------------------------+---------+------- ECDSA 256 3 0.0007 ECDSA 384 3 0.0007 RSA 1024 1708 0.3877 RSA 2045 1 0.0002 RSA 2048 438889 99.6209 RSA 4096 17235 3.9121 Signature algorithm (ex. root) Count ------------------------------+--------- ecdsa-with-SHA384 3 sha1WithRSAEncryption 384856 sha256WithRSAEncryption 49903 sha384WithRSAEncryption 12768 Eff. host cert chain LoS Count Percent -------------------------+---------+------- 80 385704 87.5488 112 54852 12.4505 128 3 0.0007 Removing the Thawte 1024 bit roots[1] causes following changes: Untrusted: +33 sites. Incomplete chain: +153, -2 sites. Complete chain: -184 sites. Sites that become untrusted: [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] Adding certificate from comment 13 from bugzilla[1] changes the stats compared to above results in very small way, only 6 hosts loose untrusted status: [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] So in total, removal of certificates referenced in [1] makes at least 27 hosts untrusted. Removal of the GTE root has bigger impact: complete -86 incomplete +17, -8 untrusted +77 since the list is so large I won't be quoting it here. As such, I'd say that removing those roots now would be premature. 1 - https://bugzilla.mozilla.org/show_bug.cgi?id=986014 2 - https://bugzilla.mozilla.org/show_bug.cgi?id=1047011 -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: [email protected] Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
