Re: [cryptography] fyi: another TLS/SSL certs-in-the-wild survey (Holz et al)

2011-09-30 Thread Ralph Holz 
Hi,

I wanted to write a mail last night to this list, but you got there
first. :-)

Yes, we put the paper online; as soon as I am back from my vacation
we'll start releasing all remaining data sets.

PS: What I hope for is if people can find anything that we missed. Say,
in the data sets from, e.g., China, Russia and a few other places. For
that, they'll need the ones from TUM to be able to compare.

Ralph

On 09/29/2011 07:01 PM, =JeffH wrote:
 http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/imc-pkicrawl-2.pdf
 
 
 The SSL Landscape - A Thorough Analysis of the X.509
 PKI Using Active and Passive Measurements
 Ralph Holz, Lothar Braun, Nils Kammenhuber, Georg Carle
 Technische Universität München


-- 
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/



signature.asc
Description: OpenPGP digital signature
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] fyi: another TLS/SSL certs-in-the-wild survey (Holz et al)

2011-09-29 Thread =JeffH 

http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/imc-pkicrawl-2.pdf

The SSL Landscape - A Thorough Analysis of the X.509
PKI Using Active and Passive Measurements
Ralph Holz, Lothar Braun, Nils Kammenhuber, Georg Carle
Technische Universität München

ABSTRACT
The SSL and TLS infrastructure used in important protocols like
HTTPs and IMAPs is built on an X.509 public key infrastructure
(PKI). X.509 certificates are thus used to authenticate services like
online banking, shopping, e-mail, etc. However, it always has been
felt that the certification processes of this PKI may not be conducted
with enough rigor, resulting in a deployment where many
certificates do not meet the requirements of a secure PKI.
This paper presents a comprehensive analysis of X.509 certificates
in the wild. To shed more light on the state of the deployed
and actually used X.509 PKI, we obtained and evaluated data from
many different sources. We conducted HTTPs scans of a large
number of popular HTTPs servers over a 1.5-year time span, including
scans from nine locations distributed over the globe. To
compare certification properties of highly ranked hosts with the
global picture, we included a third-party scan of the entire IPv4
space in our analyses. Furthermore, we monitored live SSL/TLS
traffic on a 10Gbps uplink of a large research network. This allows
us to compare the properties of the deployed PKI with the part of
the PKI that is being actively accessed by users.
Our analyses reveal that the quality of certification lacks in stringency,
due to a number of reasons among which invalid certification
chains and certificate subjects give the most cause for concern.
Similar concerns can be raised for other properties of certification
chains and also for many self-signed certificates used in the deployed
X.509 PKI. Our findings confirm what has long been believed
– namely that the X.509 PKI that we use so often in our
everyday’s lives is in a sorry state.

Categories and Subject Descriptors
C.2.2 [Computer-Communication Networks]: Network Protocols—
SSL, TLS, X.509; C.2.3 [Computer-Communication Net-
works]: Network Operations—SSL, TLS, X.509; E.3 [Data En-
cryption]: Public key cryptosystems, Standards, SSL, TLS, X.509;
H.4.3 [Information Systems Applications]: Communications Applications—
Electronic mail, Information browsers, SSL, TLS

General Terms
Security, Measurement, Human Factors

Keywords
SSL, TLS, HTTPS, X.509, Certificates, Public Key Infrastructure




___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography