It should be no surprise that the SSL security certificate business is big business, considering how SSL certificates are seen as being on the frontlines of securing Web transactions against fraud. But new data suggests that SSL certificates are not all being configured correctly.
Security research firm Qualys is attempting to paint a detailed picture of SSL deployments and their shortcomings with a new, still under-development study that aims to deliver a deeper degree of information on the state of the SSL marketplace than what is currently known. Most industry intelligence on the subject thus far has come from Netcraft research reports and from vendor reports.
In its study, Qualys scanned 119 million domain names, but found that only 92 million were active. Approximately 12.4 million domains failed to resolve properly and 14.6 million failed to respond. Of the active domains that did respond, nearly 34 million responded to the Qualys scan on both port 80 and port 443. Port 80 is typically used for HTTP while port 443 is typically used for HTTPS-, SSL-secured Websites.
Digging a layer deeper into the active sites on Port 443, Ivan Ristic, director of engineering at Qualys, said in a Webcast that he found that only about 23 million of the sites were actually running SSL.
SSL certificates can be generated for any domain name. It is considered to be a best practice that the name on the SSL certificate matches the name of the domain on which the SSL certificate is being used, though Ristic’s research shows that’s not always the case.
“Only about 3.17 percent of the domain names matched,” Ristic said. “So we have about 22 million SSL servers with certificates that are completely invalid because they do not match the domain name on which they reside.”
Detecting invalid SSL certificates
In a preview of a talk set to be delivered at this summer’s Black Hat USA conference, Ristic explained that his company has had an SSL security-checking service available publicly for some time. However, the Qualys SSL checker required that users came to the site to check their own SSL status. With the new research conducted by Ristic, Qualys set about scanning the Internet to collect information on how sites are implementing SSL.
“For us, the question is: How exactly is SSL used on the Internet as a whole?” Ristic said during the Webcast. “Interestingly enough, as popular as SSL is, no one had made public the information about how it is used.”
According to VeriSign, there are currently approximately 193 million domain names. In terms of SSL, Netcraft reports that there are 1.5 million SSL certificates. Ristic decided to focus his research on the total number of .com, .net, .org, .biz, .us and .info domains, which total 119 million domain names in total.
Ristic explained that he built a virtual machine that was able to run 2,000 threads in parallel to scan those millions of domain names. The process took him two days at a speed of 1,000 servers scanned per second.
In response to a question from InternetNews.com about his testing hardware and software infrastructure, Ristic noted that the scanning software had been custom-written for the task.
“The hardware was nothing special — I’m using a virtual server in the cloud and it’s just a medium-sized box,” Ristic said. “The trick to why the tests are quick is that it’s only a couple of network packets that are being exchanged, and that’s enough to determine if the server on the other side is capable of supporting the protocol.”
As part of the complete report that he is working on, Ristic said that he’ll be doing a deeper analysis of 720,000 SSL certificates that he uncovered in his initial scan and considers valid. The plan is to collect up to 300 data points on each SSL server to better understand how the certificates are deployed and configured.