----- Original Message ----- > From: "Kurt Roeckx" <[email protected]> > To: [email protected] > Sent: Monday, 8 September, 2014 10:48:35 AM > Subject: 1024 bit root removal in the news > > In case nobody saw it yet, those things were in the news: > https://community.rapid7.com/community/infosec/sonar/blog/2014/09/04/107000-web-sites-no-longer-trusted-by-mozilla > http://threatpost.com/mozilla-1024-bit-cert-deprecation-leaves-107000-sites-untrusted/108114 > > > I think those are misleading: > - They count certificates that already expired > - They probably count certificates seen on multiple IPs multiple
Well, my scan also includes them: you can have sites with multiple SANs serving different content depending on IP or hostname... So depreciation of single certificate may actually cause problems for multiple /different/ sites. > - They don't take into account that the site might send an alternative > root that is not 1024 bit. or even be able to link to a different root provided the browser has a different intermediate certificate cached... But I'd say there's even bigger problem: they used historic data. Many sites were contacted by CAs to change their certificates to use different roots, they will still be counted towards the 107000 total even when their current configuration uses good roots (and was detected as such in their most recent scan)! So yes, the numbers were artificially inflated "a bit". > > Hubert Kario stats posted here are way more useful. Thank you :) -- Regards, Hubert Kario _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
