SSL security is bogus

An insecurity study into the use of SSL certificates has revealed that it is about as effective as an English team preventing a German striker from getting a ball in the back of the net.

Security research firm Qualys scanned 119 million domain names, but found that only 92 million were active. More than 12.4 million domains failed to resolve properly and 14.6 million failed to respond.

Of the active domains that did respond, nearly 34 million responded to the Qualys scan on both port 80 and port 443. Port 80 is typically used for HTTP while port 443 is typically used for HTTPS-, SSL-secured Websites.

Director of engineering at Qualys, Ivan Ristic, said that despite stumping up $100 for SLL only 23 million of the sites tested were actually using it.

It is considered best practice that the name on the SSL certificate matches the name of the domain on which the SSL certificate is being used.

However Ristic said that only 3.17 percent of the domain names matched. That means that 22 million SSL servers have certificates that are completely invalid because they do not match the domain name on which they reside.”

Ristic is going to be chatting to the Black Hat USA conference. He will admit having a vested interest in that his outfit has an SSL security-checking service available publicly for some time.

Ristic built a virtual machine that was able to run 2,000 threads in parallel to scan those millions of domain names. The process took him two days at a speed of 1,000 servers scanned per second.

However when news of his study leaked out here, readers were quick to point out that there were a few holes in his reasoning.

The SSL protocol has required a separate IPv4 address per SSL certificate since 1994, before the host header was introduced to allow virtual hosting. It means that the Web server does not know which certificate to return until after the SSL handshake has completed.

The study found 22 million Web sites with SSL enabled when there have not been that many sold. So what the study is really showing is an artifact produced by ISPs trying to conserve IPv4 addresses. For every 100 Web sites on the same machine and four of them have an SSL certificate, ISPS they will assign 4 IPv4 addresses and not 5. So each SSL site will share its IPv4 address with an average of 24 other, unrelated sites.