On 27/03/14 14:04, Daniel Kahn Gillmor wrote:
On 03/27/2014 09:27 AM, Emilia Kasper wrote:
<snip>
As I said, I have low faith in admin intervention.. According to SSL pulse,
6% of Alexa top 200K sites serve an incomplete chain. You'd think they'd
notice.
I share your skepticism, but to be fair, most of the tools folks are
faced with right now don't give them *any* pointers about what needs to
be done, or even whether they've done the right thing or not.
For most sysadmins (who have lots of different tasks to take care of
that don't relate to the arcana of X.509 validation) the prospect of
sorting this out is "spend a couple hours on search engines reading
random blog posts that disagree with each other to figure out what you
might need to do, and when you're done you won't even be sure that
you're done."
Given this disappointing and frustrating scenario, i am not surprised
that many people don't even bother trying.
You're talking about improving the toolchains they have so that they get
more concrete feedback about what they're doing and explicit suggestions
about what needs to be done to fix the problems. i think that's great.
BTW, a big +1 on wanting to do something to reduce the number of servers
with misconfigured chains!
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
