Recently, an article titled “SSL Certificates In Use Today Aren’t All Valid” hit the top of popular news aggregator Slashdot.org and was picked up by other popular news outlets. This wildly speculative piece produced by Qualys, a reputable security research firm attempted to state that only 3% of all SSL Certificates in use on the web are actually valid.
SSL Certificates are used to validate identities on the web and are especially critical for E-Commerce and identity validation. You’re using a SSL certificate whenever you type https:// into your browser. The claim that only 3% of these certificates are actually valid is definitely a big deal.
Fortunately for us, the conclusions of this article don’t hold water when you dig into the methods used to obtain them. I can assure you that this claim is totally false. There is an easy way to know if a particular SSL certificate is valid, this works for all of the major browsers in use today. If there is a problem with the validation of a SSL certificate, your browser will tell you. In the case of IE8 and Firefox, the color of the bar on top changes depending on the validity of the certificate; Green for good, Red for Bad.
I’m surprised this article was allowed to be published because of the flawed method which the conclusion was drawn from.
The article author basically took the list of all the domains that exist, then pulled out all the ones that had resolver issues or wouldn’t respond. He did a reverse lookup on the domain name to get the ip that the domain was hosted on. Once the ip was obtained, the author connected over port 443 to that ip in order to obtain the SSL certificate running on that ip. With a certificate in hand, the author compared the certificate to the domain name which was used to obtain the ip address. When 97% of all domains didn’t match, this article was spawned with its headline snatching subject.
The problem was that it appears the author failed to consider several key issues. The primary problem is Shared Hosting, which is utilized as a standard on the web. Many different virtual domains can be hosted from the same server or ip address. I’m utilizing shared hosting for this very page. I host a bunch of domains from the same physical ip. According to this author’s methods, my SSL certificates would be invalid even though there totally legitimate.
I have a certificate that I use for Kozick.com, but I also host the domain coretechconsulting.com. Using the author’s method, coretechconsulting.com resolves to the same ip as Kozick.com. If he were to connect and obtain my certificate, it would say Kozick.com. He would compare that certificate to the original domain and say that it is invalid because it does not match coretechconsulting.com. One server may host multiple domains, but that does not mean that there is a SSL certificate in use for each of them. We have to consider their use when judging if it is indeed invalid. It’s totally legitimate for a server to respond with a certificate with one domain, while hosting multiple domains from the same ip address. This does not qualify as invalid.
This headline was meant to be inflammatory, however the methods used to obtain the actually data and information in the article do not stand up to peer scrutiny. You heard it here, this article is bogus.
Sources:
SSL Certificates In Use Today Aren't All Valid