Minimum RSA public key lengths: guidelines or rules?

The length of an RSA public key gives an indication of the strength of the encryption — the shorter the public key is; the easier it is for an attacker to brute-force. An attacker, armed with a compromised private key derived from a short public key, would be able to decrypt both past and future SSL-secured connections if she were able to incept the encrypted traffic. She could also impersonate the organisation to which the SSL certificate was issued if she has the opportunity to manipulate DNS lookups. Both the CA/B Forum (a consortium of certificate authorities (CAs) and major browser vendors) and NIST [PDF] (the agency which publishes technical standards for US governmental departments) have recommended that sub-2048-bit RSA public keys be phased out by the end of 2013.

According to the CA/B Forum's own Baseline Requirements [PDF] — effective 1st July 2012 — member certificate authorities are required to reject a request to sign an RSA public key shorter than specified in the following table:

Certificate expiry date Minimum RSA public key length
On or before 31st December 2013 1024
After 31st December 2013 2048

Nevertheless, these key sizes are not guaranteed as several CA/B Forum members have issued several non-compliant SSL certificates since 1st July 2012. Trustwave, Symantec, KEYNECTIS, and TAIWAN-CA have all signed certificates which fall foul of their organisation's requirement of 2048-bit RSA public keys for certificates expiring after 2013, demonstrating that the key length requirement is being treated as a guideline (which by definition is neither binding nor enforced), rather than a rule.

They are by no means the only CAs signing short RSA public keys: more than 10 years after Netcraft's first blog post on the topic and 12 years after RSA-155 [PDF], 512-bit RSA public keys are still appearing in SSL certificates. A 512-bit RSA public key was signed as recently as July 2012 by Swisscom.

Most, but not all, of the major browser and operating system vendors either disallow access or display a warning message when accessing a website using an SSL certificate with a 512-bit RSA public key. The latest versions of Safari (although not the mobile version on iOS 5.1), Opera, Google Chrome, and Internet Explorer (via an update to Windows; planned to be rolled out in October 2012). Notably, Mozilla Firefox does not yet reject such certificates.

Most Reliable Hosting Company Sites in August 2012

Rank Company site OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Qube Managed Services Linux 0:00:00 0.003 0.170 0.133 0.270 0.271
2 Datapipe FreeBSD 0:00:00 0.007 0.079 0.017 0.036 0.054
3 iWeb Technologies Linux 0:00:00 0.007 0.127 0.085 0.170 0.170
4 www.netcetera.co.uk Windows Server 2008 0:00:00 0.007 0.045 0.139 0.281 0.701
5 XILO Communications Ltd. Linux 0:00:00 0.007 0.376 0.141 0.406 0.687
6 ReliableServers.com Linux 0:00:00 0.010 0.172 0.073 0.180 0.219
7 New York Internet FreeBSD 0:00:00 0.013 0.150 0.071 0.223 0.500
8 INetU Windows Server 2008 0:00:00 0.013 0.105 0.093 0.271 0.549
9 Server Intellect Windows Server 2008 0:00:00 0.017 0.149 0.055 0.111 0.278
10 www.choopa.com Linux 0:00:00 0.020 0.213 0.089 0.183 0.261

See full table

Qube Managed Services, a London-based company which specialises in virtual hosting, was the most reliable hosting company in August. With infrastructure in London, Zurich and New York, they provide Virtual Data Centres and Managed Hosting in addition to server co-location. Having placed in the top 10 twice before in the past six months, Qube's top place this month is well-deserved with 99.997% of requests succeeding.

Datapipe and iWeb Technologies placed second and third this month with the same percentage of successful requests. Datapipe, whose connection times were on average faster, runs its data centres entirely on renewable energy and are recognised by the Environmental Protection Agency as a Green Power partner. iWeb offers dedicated and virtual servers in addition to a number of advanced solutions such as Web Clusters, ideal for customers requiring high availability.

Netcetera and XILO also both placed highly this month with the same number of successful requests as Datapipe and iWeb, putting them in fourth and fifth places respectively.

As we've seen in previous months, the most reliable hosting companies are all powered by Linux, FreeBSD or Windows Server 2008. The last time a different operating system placed in the top 10 was when Windows Server 2003 appeared, back in February.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Governments and banks still using weak MD5-signed SSL certificates

More than a thousand websites – including several government sites – are still using SSL certificates with weak signature algorithms.

Netcraft's August 2012 SSL Survey shows there are 1,300 websites still using SSL certificates that have been signed using the cryptographically weak MD5 digest algorithm. This algorithm is demonstrably vulnerable to several types of attack, including collision attacks.

The first use of this vulnerability against SSL was demonstrated back in December 2008, when security researchers showed how an MD5 hash collision could be exploited to create a rogue certificate authority (CA) certificate that would be trusted by all common web browsers. This rogue certificate could have been used to sign arbitrary subscriber certificates, thus allowing an attacker to convincingly impersonate any secure website on the internet.

At the time of the 2008 discovery, Netcraft's SSL Survey showed that 14% of all SSL certificates were signed using the vulnerable MD5 algorithm.

A few months later, the developers of Google Chrome suggested that some browser developers would be dropping support for MD5-signed certificates at some point; however, given the number of sites still using MD5-signed certificates, it was thought that suddenly removing support for such certificates would have a undesirably large impact on users.

As the majority of MD5-signed certificates have since expired or been replaced, browser vendors and certificate authorities have been gradually phasing out support for such certificates. Apple removed support for MD5-signed certificates in an iOS 5 update last year, and Chrome's developers subsequently revisited the issue and revised their browser to display an interstitial warning about MD5 being a weak signature algorithm. This immediately caused problems for users of certain corporate proxies, where a man-in-the-middle approach was used to decrypt SSL traffic before presenting it to the client with a trusted MD5-signed certificate.

The CA GeoTrust has added the affected certificates to its certificate revocation lists at http://www.geotrust.com/resources/repository/crls/, which has resulted in the certificates being rejected as invalid in many of today's browsers, including Chrome, Opera and Internet Explorer. However, sites which currently use MD5-signed certificates can be viewed with the latest version of Mozilla Firefox without receiving any warnings, as the relevant certificate revocation lists have to be added manually, and none of the certificates specifies an OCSP server for checking the revocation status.

The CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates [pdf] no longer allow the MD5 digest algorithm to be used for root, subordinate or subscriber certificates. All but two of the 1,123 unique MD5-signed certificates still in use on the web were issued by Equifax between 2006 and 2008, with validity periods ranging between 4 and 6 years.

The remaining two MD5-signed certificates were issued by VeriSign. These do not appear to have been revoked, but are due to expire in less than a month. In the worst case, all MD5-signed certificates currently in use on the web will have expired naturally by March 2014, regardless of whatever measures have been taken by browser vendors and certificate authorities.

Several government websites are currently operating with MD5-signed certificates, including a few in Australia, a couple in New Zealand, and one in each of Ireland and the UK. The most recently issued certificates are marked as being valid from 30th December 2008 – the same day as the publication of the hash collision demonstration.

Other notable users of weak MD5-signed certificates include Reliance Bank, Commencement Bank, several online billing websites, dozens of corporate webmail services, purportedly secure hosting providers, a number of schools and universities, and even a reseller of GeoTrust SSL certificates.

Phishing on sites using SSL Certificates

Over the years the Internet community has been taught that one of the key steps in protecting their personal information on the Internet is to ensure that it is entered only over an encrypted connection, perhaps by looking for the lock symbol in the browser address bar or web addresses beginning with https://. As a result, phishing attacks which make use of SSL certificates are especially dangerous  as most users associate the presence of a valid SSL certificate with an increased level of assurance. Such attacks  erode the reputation of Certificate Authorities and SSL certificates, which makes identifying and revoking maliciously used certificates a material issue.

Netcraft's anti-phishing feed has blocked over 5 million unique phishing sites to date, receiving over 4 reports a minute from our reporter community, and while the majority of phishing attacks run over HTTP,  a significant number run on sites for which SSL certificates have been issued. In July 2012 alone, Netcraft found 505 unique valid certificates on blocked sites.

The following table, produced for the Netcraft SSL Survey, shows the number of unique valid certificates returned by phishing sites that were blocked by Netcraft in July 2012:

Certificate Authority (CA) Unique certificates ...with matching Common Names ...and accessed by https://
Symantec 216 41 21
Comodo 130 16 7
Go Daddy 67 19 8
Other 41 11 6
GlobalSign 39 2 1
DigiCert 12 2 2

The columns of the table are ordered left to right by trustworthiness, as using a valid SSL certificate is not always enough to trick a user into trusting a phishing website and two further conditions have to be met:

  • The Subject Common Name of the certificate has to match the hostname of the phishing site that returned it. Some sites will return the hosting company's certificate when requested over HTTPS. As most modern browsers display warnings when a non-matching certificate is encountered (pictured below), such certificates only serve to make the user more suspicious instead of increasing the perceived security of the site.
  • A phishing site accessed over HTTPS displays the SSL certificate for the hosting company.
  • The phishing attack has to actively use the SSL certificate by including https:// in the phishing URL. Having a valid SSL certificate does not make a phishing site appear more trustworthy if victims only access it over HTTP.

Fraudsters will often host their phishing content on a compromised website and so can make use of the website's legitimate certificate, however they may not have realized that SSL services are available and so serve the content over HTTP. None of the certificates found on phishing sites in this period appeared to have been issued specifically for the purpose of phishing.

Taking Certificate Authority market shares into consideration, Go Daddy has a lower proportion of its SSL certificates used in phishing attacks than the other large CAs, in part because it provides the hosting for a large proportion of the certificates which they issue and is a long term user of Netcraft's feed to remove phishing attacks.

Most Reliable Hosting Company Sites in July 2012

Rank Company site OS Outage hh:mm:ss Failed Req% DNS Connect First byte Total
1 New York Internet FreeBSD 0:00:00 0.000 0.161 0.082 0.166 0.494
2 www.logicworks.net Linux 0:00:00 0.003 0.143 0.082 0.548 0.689
3 www.netcetera.co.uk Windows Server 2008 0:00:00 0.003 0.109 0.120 0.242 0.604
4 Swishmail FreeBSD 0:00:00 0.007 0.133 0.073 0.147 0.368
5 iWeb Technologies Linux 0:00:00 0.007 0.145 0.082 0.163 0.163
6 Datapipe FreeBSD 0:00:00 0.010 0.151 0.025 0.051 0.077
7 www.choopa.com Linux 0:00:00 0.010 0.192 0.093 0.191 0.272
8 www.memset.com Linux 0:00:00 0.010 0.170 0.124 0.248 0.504
9 ReliableServers.com Linux 0:00:00 0.013 0.215 0.088 0.180 0.256
10 www.cwcs.co.uk Linux 0:00:00 0.017 0.343 0.137 0.278 1.006
See full table

The most reliable hosting company in July with no failed requests was New York Internet, which last month ranked third. They opened their first facility in Lower Manhattan in 1996, and also run a datacentre 40 miles away in New Jersey for business continuity and backup operations. Within our million busiest websites, Opera's FastMail service is the most popular website hosted by New York Internet.

Logicworks and Netcetera had the same number of failed requests and are therefore ranked by average connection time in second and third places respectively. Logicworks, which last appeared in the top ten in February in seventh position, offer cloud computing and managed hosting to some prominent brands including Dow Jones and NBC. Netcetera appeared in first place last month, however despite slipping slightly to third they actually experienced a drop in the number of failed requests this month.

Swishmail (ranked fourth) and iWeb Technologies (ranked fifth) also had the same number of failed requests, but had connection times of 73ms and 82ms respectively. Both companies have now appeared in the top ten for the fifth time this year.

Linux is the favourite choice of operating system for this month’s most reliable hosts, with six of the top ten running on the OS; three companies used FreeBSD, including first place New York Internet; and one company was running Windows Server 2008.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event that the number of failed requests are equal, the sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

August 2012 Web Server Survey

In the August 2012 survey we received responses from 628,170,204 sites, a decrease of 38M sites since last month's survey.

Once again, this month's drop comes as a result of improvements to the survey's handling of wildcard hostnames, with over 40M hostnames on only 242 IP addresses being removed from the Survey. This has again had a negative effect on the number of hostnames running on Apache, with 36M hostnames lost, taking its market share down to 59%. This meant that despite Microsoft, nginx and Google losing hostnames (855k, 1.4M and 370k respectively), they all increased their percentage share.

In the Million busiest sites, the situation was reversed. Apache gained 15k sites to lift its share past the 60% threshold. Microsoft, nginx and Google all saw losses, by 4k, 10k and 2k respectively.

6th June 2012 saw the World IPv6 Launch, an event organised to build on World IPv6 Day (held a year ago). This year, the event focused on bringing together major internet technology firms to 'permanently enable IPv6 for their products and services'. The effect of the day was clearly visible in the Survey, with the number of IPv6 enabled hostnames jumping by over 300% from 7M to 30M.

Apple's decision to migrate MobileMe accounts to its new iCloud service has meant that Akamai experienced a 138k drop in active sites in the Survey. The MobileMe service allowed users to publish data to a page on the me.com site or their own domain. The new iCloud services don't offer users the same functionality.





Developer July 2012 Percent August 2012 Percent Change
Apache 409,185,675 61.45% 373,069,751 59.39% -2.06
Microsoft 97,385,377 14.62% 96,529,586 15.37% 0.74
nginx 73,833,173 11.09% 72,429,976 11.53% 0.44
Google 22,931,169 3.44% 22,561,854 3.59% 0.15
Continue reading