SSL Pulse is an initiative ran by Qualys to monitor the overall health of the SSL deployments on the Internet. It is based on the SSLLABS work Ivan Ristik has done; he has recently published the data used to derive these reports.
There are some interesting findings in buried in the raw data, for example:
- Most of the certificates (85%?) are expired.
- Most of the certificates are self-signed or from internal PKIs.
- Those 5 “shorter than 1024bit” keys in the Pulse Dashboard are down to 3 (based on manual verification) are time valid certificates from public CAs, two expire this year the last in 2014.
|Host||Issuance Date||Expiration Date||Key Size||Issuer|
|www.pysoft.com||01/25/2009||02/24/2014||512||Equifax Secure Global eBusiness CA-1|
|www.comlink.com.br||10/13/2009||11/07/2012||512||Thawte Premium Server CA|
|www.rtp.com||04/13/2009||06/04/2012||512||Thawte Premium Server CA|
- There are 2,472 RSAwithMD5 certificates in the 215,607 sample-set or around .01% of the hosts.
This last point gives us some context to some numbers Venafi published recently, they indicated 17.4% of the certificates they see are signed using MD5; this is a rate significantly higher than what we see here. Its probably safe to assume the difference is that their sample is primarily derived from intranets where private CAs are commonly are set up and forgotten.
For me the largest conclusion we can take from this data appears to be that there is a large number of organizations who set-up SSL (and PKIs) and simply forget about them – this is of course not a surprise but it’s neat to see it backed up with numbers.