SSL Study Shows Most Sites Incorrectly Configured

LAS VEGAS — Secure Sockets Layer is a standard mechanism websites use to help secure data and transactions, but according to Qualys security researcher Ivan Ristic, most SSL sites are actually misconfigured.

Ristic delivered his study here at the Black Hat security conference as an update to the preliminary data he published last month.

In the final study, Ristic said he examined 867,000 SSL certificates in which the name on the certificate matched the name of the domain. In his preliminary research, Ristic documented that the vast majority — nearly 97 percent — of SSL certificates do not have the proper name on them and don’t match the underlying domain.

Of the certificates that matched, only one third were correctly configured, Ristic said. By his definition, a correct configuration ensures that the encryption key is 2,048 bits or stronger and has disabled support for the older SSLv2 protocol.

As to why he thinks that so few sites are correctly configured for SSL, Ristic points to a lack of adequate documentation and education on the topic.

Though most sites today aren’t properly configured, Ristic stressed that in his view the entire Internet should use SSL, though he admits that’s likely not going to happen any time soon.

There are also other areas of SSL exploration that Ristic wants to examine.

“In the future we will go much deeper. In this study we only retrieved the home page of each site,” he told “In the next step we’ll crawl a larger part of the sites to see if there is a mixture of encrypted and non-encrypted areas and to see if cookies and sessions are secure.”

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.

Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Related articles