The HTTP protocol uses clear text thus susceptible to information theft. The Transport Layer Security – TLS protocol add privacy and integrity to the session. Implementing TLS requires a digital certificate that can be purchased from a public CA or issued by internal Certificate Authority – CA and some server configuration.
In the last years many TLS vulnerabilities are published and demonstrated. This weaknesses are the result of bad implementation, public CAs that issue rogue certificates and protocol design issues. This survey covers the Israeli IP address space and shows that only half of the total number of discovered certificates are issued by trusted public CAs the rest are divided between private CAs and self signed certificates. 75% of the untrusted certificates has a partial chain and the rest are already expired. Trusted certificates are those which passed the chain build successfully
- Issued by a trusted certificate authority.
- The chain is complete.
- Name is valid.
- Certificate is valid (not expired).
- Certificate authority revocation is found.
- Certificate is not in CRL (Certificate Revocation List)
Of those 9% still use the weak SHA-1 signing algorithm but 99% use 2048 bit and larger keys. 50% of the servers using those trussed certificates still support SSL2/3 protocol and use weak cipher suites. Most of the untrusted certificates protects security network devices like routers, firewalls, IP cameras, cloud storage and specifically provide the worst security. This survey start with introduction to the
- TLS protocol, history and vulnerabilities.
- Survey tools and methodology.
- Results summary.
- Raw data
There is a lot to be done to improve the security that TLS can provide, having a “good” certificate is not enough, servers and web sites need a better hardening and organization better replace untrusted certificates with trusted certificates.