President Obama forgets to renew SSL certificate
1st October, 2013
At the start of the first US Government shutdown since 1996, an SSL certificate used on barackobama.com has expired. Issued by Go Daddy in September 2012, the SSL certificate for *.barackobama.com and barackobama.com was used by Organizing for Action, a non-profit grassroots organisation aligned with Obama's political policies. Whilst not directly associated with the US Government, the expiry of the SSL certificate for barackobama.com during a US Government shutdown is nonetheless a curious coincidence.

Warning in Google Chrome when visiting a website using the SSL certificate for *.barackobama.com.
Several SSL certificates controlled by the US Government expired today and are still being used — for example, the SSL certificates used on both ui.tn.gov and webmail.coop-uspto.gov have expired and may not be replaced any time soon. Furthermore, there are at least 30 US Government sites still using SSL certificates that are scheduled to expire before Friday.
SSL certificates expiring may be least of the problems for US Government websites, some websites have been taken offline: www.nasa.gov now redirects to notice.usa.gov.
Posted by Robert Duncan in Security, Around the Net
中国云
16th September, 2013
[Read this article in English]
作为2012年度世界最大的贸易国,中国长期以来一直是一个劳动力和服务输出大国,即便是在信息技术领域,也和印度的差距越来越小。以亚马逊和DigitalOcean为代表的欧美云计算服务提供商的不断发展壮大,预示着云计算基础设施会成为一种商品,而那些最廉价的提供商则会逐渐受到用户的青睐。
中国网民数量在2013年6月达到了5.91亿,超越了美国和欧洲。把互联网应用和其他内容放在目标用户所在的国家可以有效缩短访问所需时间并提高访问稳定性,所以日益增加的网民数量对本国的互联网基础设施建设提出了要求。
中国云主机市场的极速发展
在过去一年,在中国大陆境内直接连接到国际互联网的Web服务器数量增长了8.3%,且绝大多数增长都来自于云主机市场。在直接连接到国际互联网的Web服务器数量方面,阿里云是目前中国最大的云主机提供商。特别值得一提的是,阿里云拥有的直接连接到国际互联网的Web服务器数量在2013年9月达到了17,934,比去年同期增长了6倍。放眼全球,其增长量仅次于云计算巨头亚马逊。
虽然中国的云计算基础设施建设尚处于起步阶段,但阿里云的未来还是很有希望的,因为它背靠着强大的阿里巴巴集团。阿里巴巴集团是中国拥有直接连接到国际互联网的Web服务器数量最多的公司,也是世界前30名之一,而且该集团旗下的淘宝网和阿里巴巴交易市场等电子商务平台早已在中国家喻户晓。在阿里巴巴集团直接连接到国际互联网的Web服务器当中,有92%来自于阿里云。
Metric | Sep 2012 | Mar 2013 | Jun 2013 | Jul 2013 | Aug 2013 | Sep 2013 |
---|---|---|---|---|---|---|
Hostnames | 91,553 | 205,824 | 382,342 | 381,989 | 368,948 | 389,171 |
Active sites | 23,596 | 55,654 | 119,089 | 116,835 | 146,310 | 150,089 |
Web-facing computers | 2,670 | 8,038 | 15,931 | 16,846 | 17,670 | 17,934 |
Detailed view of Aliyun in terms of hostnames (web sites), active sites, and web-facing computers.
本土市场与中国防火长城
尽管中国云主机市场增长迅猛,但是Netcraft发现这些增长绝大多数都来自于面向中国本土市场的网站。把服务器尽可能安置在离终端用户较近的地方可以提高访问性能这一点在中国格外突出:可能是受到金盾工程(亦称中国防火长城)的影响,流入或流出中国大陆的网络数据有时候会很慢,不稳定,甚至被屏蔽。2013年9月,从阿里云连接到国际互联网的网站的域名有一半以上都在.cn顶级域下,有41%是.com,而在其他国家顶级域下的域名则非常少见。由此可推断,与亚马逊的全球化服务不同,阿里云目前还是比较局限于中国本土市场。

TLD share by domains of websites at Aliyun in September 2013
阻碍中国云服务全球的绊脚石
对于想吸引中国用户或访客的外国企业来说,使用中国境内的云主机是很有意义的,但是会遇到一些障碍。这些障碍也正解释了为什么中国云目前面向的主要还是本国用户且这种情况很可能还会持续一段时间:
- 和最廉价的外国云主机提供商相比,中国云主机提供商在价格和操作系统等配置选择的多样性上都没有优势。以阿里云为例,除非选择2核或4核的CPU,否则按量付费的云主机不支持Windows操作系统,而且其价格也不比那些更成熟的竞争对手便宜。最廉价的按量付费的阿里云主机为单核CPU,512M内存,1Mbps带宽,价格每小时0.27元(约合0.04美金),几乎是亚马逊最便宜的云主机价格的两倍,而配置相近的DigitalOcean云主机的价格仅为每小时0.007美金。但是,由于定价模式的差异,包年包月的阿里云主机在某些情况下会比包年包月的亚马逊或DigitalOcean更便宜。
- 从海外访问中国境内的网站有时不够顺畅 - 从英国发送到阿里云官方网站的数据包往返几乎要耗时半秒钟,而从美国访问的效果也没有好很多。在过去20天,有多达4%的来自荷兰的访问请求都以失败告终。
- 很多中国主机服务提供商只支持中文。以阿里云为例,无论是官方网站、控制面板还是技术支持,中文都是其唯一的语言。不过,亚马逊云对中文的支持也几乎一样有限 - 只有首页有中文版。
- 有些中国主机服务提供商只面向中国客户。例如:申请使用阿里云服务的用户必须要有一个中国的手机号来接收验证码以完成注册。按量付费的用户必须通过身份验证,而只有中国或个别亚太地区国家的公民或者中国的企业可以做这样的验证。想使用阿里云服务的客户还必须有一张与支付宝兼容的中国的银行卡。如果服务器需要通过域名访问,那么还必须在工信部备案,而这样的备案并不向外国企业开放。

Performance of www.aliyun.com from a Netcraft performance collector located in the Netherlands
这些障碍意味着中国的云主机服务目前还不太可能冲出中国,面向世界。但是,伴随着来自阿里云这样的本地提供商和微软、亚马逊这样的海外提供商之间的竞争,中国的云服务器数量很有可能会继续增长,来满足国内日益增多的需求。微软为了将其云主机服务打入中国市场,已经开始与中国的一家名为世纪互联的基础设施服务提供商进行合作,并且正在为中国市场定制极具竞争力的价格计划。也许通过这样的模式,其他外国企业(比如亚马逊)也可以将其云主机服务打入中国市场,不仅提供本地的数据中心,同时也争取在严格的监管环境下为中国客户提供支持。同样的,如果上述这些障碍能够在一定程度上得到解决,相信阿里云和其他中国云主机提供商也能够在国际大舞台上获得更多的市场份额。
Netcraft提供国际互联网基础设施方面的信息,包括主机服务提供商、网页技术等等。想了解更多关于云计算行业的信息,请访问 http://www.netcraft.com/internet-data-mining/。
Posted by Wenxiao Yuan (苑文筱) in Around the Net, Web Server Survey, Hosting
Building the Great Cloud of China
13th September, 2013
[中文版]
China, the world's largest trading nation in 2012, has long been a desirable location for outsourcing labour and services, even within the technology and IT sector where it is not far behind India. The growth of cloud computing providers in Europe and the United States — particularly Amazon and DigitalOcean — may foretell cloud computing infrastructure becoming a commodity and outsourced to the cheapest provider.
The ever-increasing number of internet users in China (591 million at the end of June 2013) requires the development of home-grown internet infrastructure: hosting web applications and other content within a target user's own country typically speeds up requests and improves reliability. The number of internet users in China is greater than either the United States or Europe.
Stratospheric growth in Chinese cloud hosting
Although the number of web-facing computers in China has grown by 8.3% over the last year — the majority of this growth has occurred within the cloud hosting market. Aliyun (云, pronounced 'yun', is the Chinese word for cloud) is the largest cloud computing provider in China in terms of the number of web-facing computers, and remarkably, Aliyun now has six times more web-facing computers than it did a year ago, reaching a total of 17,934 in September 2013. Worldwide, only the cloud computing giant Amazon gained a greater number of web-facing computers.
Although China's cloud computing infrastructure is still in its infancy, Aliyun's future looks particularly promising, as it is owned by the Alibaba Group. This group is the largest hosting provider in China, features within the top 30 hosting providers worldwide, and has already established a strong internet presence with its better known e-commerce platforms, Taobao and Alibaba.com. Aliyun now makes up almost 92% of the web-facing computers at Alibaba Group.
Metric | Sep 2012 | Mar 2013 | Jun 2013 | Jul 2013 | Aug 2013 | Sep 2013 |
---|---|---|---|---|---|---|
Hostnames | 91,553 | 205,824 | 382,342 | 381,989 | 368,948 | 389,171 |
Active sites | 23,596 | 55,654 | 119,089 | 116,835 | 146,310 | 150,089 |
Web-facing computers | 2,670 | 8,038 | 15,931 | 16,846 | 17,670 | 17,934 |
Detailed view of Aliyun in terms of hostnames (web sites), active sites, and web-facing computers.
Indigenous market and the Great Firewall of China
Despite the strong growth of the Chinese cloud hosting market, most of the growth seen by Netcraft is hosting sites aimed at the Chinese market. Hosting content as close to the end-users as possible increases the performance of the web site, and this effect is particularly prominent in China: internet traffic crossing the border can sometimes appear to be slow, unstable, or even blocked, perhaps as a side-effect of blocks enforced by the Golden Shield Project (also known as the Great Firewall of China). In September 2013, more than half of the domains of websites hosted at Aliyun were in the .cn TLD, around 41% in .com, whilst domains in other ccTLDs appeared to be very rare. Unlike Amazon's global reach, Aliyun's reach appears to be limited to the local market — at least for the time being.

TLD share by domains of websites at Aliyun in September 2013
Obstacles holding back the Chinese cloud
Using cloud hosting in China could make sense for non-Chinese companies looking to increase their presence in China; however, a number of obstacles remain. These explain why the Chinese cloud is still mostly indigenous, and is likely to remain so for some time:
- Neither the pricing models nor the variety or operating systems are as attractive as those offered by the cheapest non-Chinese cloud hosting companies. Taking Aliyun as an example, its on-demand instances do not support Windows operating systems unless you opt for a 2-core or 4-core CPU, and they are not significantly cheaper than its more established competitors. The cheapest on-demand option at Aliyun is ¥0.27 ($0.04) per hour which buys you a single core, 512MB of RAM, and a 1Mbps internet connection. This is almost twice the price of Amazon's cheapest option and a comparable DigitalOcean instance can be had for just $0.007 per hour. However, as pricing models vary, reserved instances at Aliyun can be cheaper in some circumstances.
- Internet connectivity from outside China can be patchy — packets sent to www.aliyun.com from the United Kingdom take almost half a second to make the journey and back again, and the performance in the United States is not much better. More than 4% of requests to www.aliyun.com from the Netherlands failed during the past 20 days.
- Many Chinese hosting services are only available in the Chinese language. This is the only language available for Aliyun's brochure website, control panel, and technical support. However, Amazon's support for the Chinese language is almost as limited — a single marketing site appears to be the sole Chinese-language site for AWS.
- Some Chinese hosting companies only accept business from Chinese customers. For example, Aliyun's customers are required to have a Chinese mobile phone number in order to receive a verification code to complete the signup process. Customers wishing to buy an on-demand instance at Aliyun must go through an identity verification process, which requires the registrant to be a national of China or one of a few other Asia-Pacific countries, or to represent a Chinese company. Customers must also hold a credit or debit card issued by a Chinese bank compatible with Alipay. Customers must also register with the Chinese Ministry of Industry and Information Technology if they wish to associate a domain name with an Aliyun cloud server, but such registration is currently unavailable to foreign enterprises.

Performance of www.aliyun.com from a Netcraft performance collector located in the Netherlands
The current obstacles suggest that the cloud is unlikely to be outsourced to China yet. However, the availability of cloud computers in China is likely to increase to match its rapidly increasing local demand with competition both from local providers like Aliyun and overseas players like Microsoft and Amazon. Microsoft has collaborated with a partner company in China, 21Vianet, in order to bring its Cloud to China, and is making competitive price plans customised for the Chinese market. Perhaps by following this model, other non-Chinese companies such as Amazon could enter the Chinese market, providing local data centres and support to Chinese-speaking customers within the stricter regulatory environment. Equally, if some red tape were cut and network connectivity improved, Aliyun and other Chinese cloud providers could be poised to take a larger share of the global cloud computing market.
Netcraft provides information on the internet's infrastructure, including the hosting industry and web content technologies. For information on the cloud computing industry, please see http://www.netcraft.com/internet-data-mining/.
Posted by Wenxiao Yuan (苑文筱) in Around the Net, Web Server Survey, Hosting
Facebook Apps hosted by Heroku used for viral Twitter phishing attack
10th June, 2013
Netcraft blocked a Twitter phishing site being served from multiple Facebook Applications on 6th June. Visitors to the Facebook applications were requested to enter their Twitter credentials in order to view a "Twitter Video" application. On submission of the fake Twitter login form, the user is redirected to YouTube.
Links to the phishing attack were spread via both public tweets and direct messages. A Twitter direct message can only be sent to and from users who are following each other which lends credence to the message and the link it contains. The message entices the recipient to visit the fraudulent Facebook application: "I'm turning off my page if no one comes farward [sic] regarding this. https://apps.facebook.com/165922313586222".
Facebook — a trusted website which is served over HTTPS — is a useful medium for a fraudster; a Facebook user may be accustomed to seeing legitimate third-party authorisation forms on the social network making a fake login form all the more convincing. Netcraft has also observed similar attacks targeting Facebook itself which are being spread via Facebook statuses.

Twitter phishing via Facebook Apps and Twitter direct messages
Facebook Apps are not hosted on Facebook servers, instead they are hosted by a third party provider. The Facebook Apps involved in this phishing attack were hosted on Heroku and included on facebook.com via an iframe. In September 2011 Facebook partnered with Heroku, simplifying the process of setting up a new Heroku hosting account and Facebook App down to a few clicks. Heroku provides free accounts which are attractive for fraudsters wishing to host phishing attacks on Facebook.
The Facebook App at Heroku has a further iframe showing the actual fake login form, which is hosted at another hosting provider Joe's Datacenter. Both Facebook and the Facebook App hosted at Heroku are served using HTTPS but the final iframe is not, causing some browsers to display an insecure content warning.

Structure of the phishing attack: the fake twitter login form is included in an iframe within the Heroku-hosted Facebook App. The Facebook App is then included on facebook.com within another iframe.
Internet Explorer 9+ blocks HTTP iframes on HTTPS pages by default as it considers them as Mixed Active Content. Firefox currently hides the padlock when viewing mixed content, but does not block it. Firefox 23, due for release later this month, will automatically block iframes when it introduces Mixed Active Content blocking. In Google Chrome, iframes are currently considered passive rather than active, so the padlock icon displays a warning but the content is not blocked. Chrome 29 will switch to treating iframes as Mixed Active Content and block them by default.

Mixed Active Content Blocking in IE10, Pre-release Firefox Nightly, Pre-release Chromium
On 6th June, Netcraft observed the following events (times are GMT). Netcraft had access to both a compromised Twitter account and a second Twitter account which was targeted by the first.
- 12:00
- A Twitter direct message with a link to the phishing attack is received from the compromised account. Netcraft blocks the phishing attack in its Phishing Feed.
- 19:00
- Twitter resets the password on the compromised account: "Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account". The direct message containing the link to the phishing attack is removed. This is the same email that Twitter sent to 250,000 users in February when it discovered an attack which may have accessed user information.
- 20:00
- Facebook removes the phishing applications Netcraft discovered, but the content is still accessible directly.
Social network credentials are particularly appealing to fraudsters as they have a built-in method to spread the attack without further involvement from the fraudster. Some features, such as attached third-party applications, can make a compromised account even more valuable to a fraudster. Authentication forms of the type imitated in this attack are common and train users to expect to see social media login forms triggered from websites other than that of the social network itself. Despite this attack asking for Twitter credentials within a Facebook App, the fraudster was still able to gather twitter account credentials and use them to further spread the attack using twitter direct messages and tweets.
You can protect yourself against phishing attacks by installing Netcraft's Anti-Phishing Extension. You can help protect the internet community by reporting potential phishing sites to Netcraft by email to scam@netcraft.com or at https://report.netcraft.com. Netcraft can also help protect both brand owners and hosting companies.
Posted by James Acres in Security, Around the Net
Phishing attack hosted on police site with an SSL certificate
6th June, 2013
The Malaysian government's Police Portal (Johor Contingent) is currently hosting a phishing attack against PayPal on its secure website https://www.polisjohor.gov.my (Site Report). Phishing sites using SSL certificates can piggyback on the trust instilled by browser indicators, such as the padlock icon, to trick potential victims into revealing sensitive information such as their username and password. The SSL certificate used for this phishing attack is irrevocable in some major browsers including Firefox (due to the lack of an OCSP URL in the certificate) and Safari (which doesn't check revocation by default).
A phishing site targeting PayPal hosted on the Malaysian Police's web site which is available over HTTPS.
Fraudsters often use a compromised third party website to host their phishing attack rather than obtaining web hosting directly. By compromising an existing trusted website the fraudster can avoid paying for a potentially suspicious domain name or SSL certificate himself. For example, registering or obtaining an SSL certificate for paypaal.com could draw unwanted attention if the registrar or SSL certificate authority is already conscious of the risk posed by this type of domain name.
The presence of an SSL certificate on a website hosting a phishing site is far from unusual. In May 2013, Netcraft identified 234 trusted SSL certificates on websites with at least one known phishing site. Of these, 67 were issued by Symantec (including the polisjohor.gov.my certificate) which may not be surprising given its leading position in the SSL certificate market. Comodo and Go Daddy had a similar number of such certificates discovered by Netcraft, 42 and 46 respectively. Extended Validation (EV) certificates could be especially valuable to a fraudster as they are designed explicitly to increase the perceived trustworthiness of websites which have passed the validation process by displaying additional indicators such as green bar. During May 2013, Netcraft identified five EV certificates being used on potentially compromised websites: two signed by Symantec and one each signed by Comodo, DigiCert, and Go Daddy.
The SSL certificate for polisjohor.gov.my was issued by GeoTrust (a Symantec brand) back in 2011 and is valid for several more months. If Symantec wished to revoke the certificate to make the site inaccessible over HTTPS it could do so by updating its Certificate Revocation List or by providing on-demand OCSP responses noting its revocation. As examined by Netcraft recently, the current treatment of revocation in many major browsers leaves some room for improvement: this certificate does not contain an OCSP URL so is irrevocable in Firefox. Even if the CA wanted to, it could not directly prevent further use of the certificate in Firefox. Safari users are left unprotected by default as the revocation checking has to be explicitly enabled.
Netcraft offers Phishing alerts to CAs to provide timely alerts to the CA about potential misuse of a certificate. Having access to timely, professionally validated alerts when phishing attacks occur can allow the CA to provide the first alert of a compromise to the webmaster. Both the CA and the webmaster are then able to respond appropriately to the potential compromise, safeguarding the reputation of both parties.
Posted by Raz Popescu in Security, Around the Net
Would you knowingly trust an irrevocable SSL certificate?
23rd May, 2013
Despite the inconsistent treatment of certificate revocation by browsers, providing reliable revocation information is an integral part of operating a trustworthy certificate authority (CA) and a well-accepted requirement of Mozilla's CA root program. However, there are presently thousands of certificates in use which are irrevocable in some major browsers, and hundreds in those browsers which do everything right.
Without the ability to revoke a certificate, a CA has no control over whether a certificate is accepted by browsers or relied upon for secure communication after its issuance and before its expiry. A compromised private key and certificate in the hands of an attacker could be devastating: he would be able to use the private key to decrypt some intercepted SSL-secured traffic and the certificate to impersonate the targeted site. Even if the CA becomes aware of the problem, they can do nothing about it directly without having to rely on the browser vendor's support. CAs use two main technologies for browsers to check whether a particular certificate has been revoked: using the Online Certificate Status Protocol (OCSP) or looking up the certificate in a Certificate Revocation List (CRL). OCSP provides revocation information about an individual certificate from an issuing CA, whereas CRLs provide a list of revoked certificates and may be received by clients less frequently.
Assessing browser support for the two forms of revocation is complicated by Google Chrome's varying behaviour, depending on the platform, browser settings, and its use of pre-aggregated crlsets which contain revocation information for a limited selection of certificate authorities. Firefox does not automatically download CRLs for non-EV certificates so, by default, must rely on OCSP alone. Both Internet Explorer and Opera are more secure in this context: they support OCSP and CRLs and make suitable checks for all types of certificate. Safari does not make revocation checks at all by default for non-EV certificates and the mobile version does not provide the option to do so. For most Safari users, whether or not a certificate is irrevocable is immaterial — Safari does not check for revocation by default.
Excerpt from Netcraft's site report for https://www.bancagenerali.it showing the lack of any revocation method available.
Netcraft has found hundreds of certificates trusted by major browsers which are effectively irrevocable; that is they do not contain valid entries in the crlDistributionPoints X509 extension or OCSP URLs in the AuthorityInformationAccess extension. There may be appropriate CRLs or OCSP responders available, but there is no standard automated means to discover them. Without these two extensions, there is some chance a browser will use a cached CRL (downloaded after visiting another site using the same intermediate certificate) and have access to revocation information not otherwise available. It is easy, however, to envision many scenarios where this fortunate event hasn't occurred before a person visits a site with a revoked certificate.
The CA/B forum — an organisation of both CAs and browsers — publishes a set of Baseline Requirements (BR), which allow a CA to rely on OCSP stapling for "high-traffic" FQDNs and omit OCSP URLs from the certificate. However, currently there is not a widely supported method for enforcing the use of OCSP stapling. The draft TLS Security Policy extension can contain a must-staple directive, which, if present, will indicate to clients to reject any connection without a stapled OCSP response.
In Netcraft's May 2013 SSL survey, more than 300,000 certificates did not contain an OCSP responder URL and are thus irrevocable in Firefox (except for a handful of hard-coded OCSP responder URLs); of these, almost 9,000 were issued this year. Around 800 did not contain URLs for either revocation method, making them effectively irrevocable.
The table below shows some example certificates which are missing some or all of the URLs pointing to revocation methods.
Example certificate | Site rank | Certificate Authority | OCSP servers | Certificate Revocation Lists | OCSP Stapling enabled | Self-declared BR compliance according to responses to Mozilla |
---|---|---|---|---|---|---|
fsgateway.aexp.com | American Express (Verizon Business) | No | No | No | Not yet compliant | |
www.bancagenerali.it | 28,225 | I.T. Telecom (Verizon Business) | No | No | No | Not yet compliant |
*.malaga.es | FNMT | No | No | No | N/A | |
accounts.google.com | 7 | Google Internet Authority (Symantec) | No | Yes | No | Compliant |
login.skype.com | 1,804 | Microsoft (Verizon Business) | No | Yes | No | Not yet compliant |
query.rapidssl.com | 1,280,616 | Symantec | No | Yes | No | Compliant |
www.faa.gov | 498,030 | Verizon Business | No | Yes | No | Not yet compliant |
www.creditmutuel.de | KEYNECTIS | No | Yes | No | Compliant | |
*.mygrants.gov.my | AlphaSSL (GlobalSign) | No | Yes | No | Partially compliant |
There are a number of certificate authorities which have issued such certificates, including the following:
- An American Express certificate, issued by their own certificate authority, does not contain URLs for either revocation method nor does it staple an OCSP response, making it totally irrevocable. American Express's certificate authority eventually chains up to GTE CyberTrust (now Verizon Business). This certificate was issued before the effective date of the CA/B forum's Baseline Requirements.
- Google Internet Authority, a subordinate CA of Equifax (now Symantec), does not include OCSP responder URLs in any of its certificates making the certificates effectively irrevocable in Firefox except by action by the browser vendor. Even if Google were to use OCSP stapling (which it does not appear to do — at least on some popular sites) people using Firefox would be no better off as support by default is still in the pipeline. The lack of OCSP URLs may be a conscious decision by Google to reduce the performance penalty of using SSL. The risk posed by not performing this check is not theoretical as one of Google's CRLs contains 7 serial numbers for certificates which were revoked for 'Key Compromise', an event which can't be dealt with directly by Google for users of Firefox.
- A number of other certificate authorities have issued certificates without OCSP responder URLs this year, including Symantec, Verizon Business, GlobalSign, Microsoft, and KEYNECTIS. The original Baseline Requirements document — effective from 1 July 2012 — stated that there MUST be at least one OCSP URL in the AuthorityInformationAccess extension.
- Several recently-issued irrevocable certificates violate other Baseline Requirements. For example many certificates also have RSA keys shorter than 2048-bits expiring beyond the end of this year — the CA will not be able to revoke them effectively on 1st January 2014 as is required. I.T. Telecom (which is a subordinate CA of Verizon Business) and FMNT (the Spanish Royal Mint) are the worst offenders, having issued totally irrevocable certificates with short public keys. Some major CAs have also signed certificates with short public keys and only CRL revocation available including Symantec and Verizon Business.
None of the example certificates mentioned above responded with a valid OCSP response stapled, so the limited exception allowed in the Baseline Requirements for high-traffic FQDNs isn't applicable.
Whilst the majority of certificates issued by major CAs are revocable in line with the Baseline Requirements, browser vendors could consider enforcing the most security-critical requirements in the browser itself, raising the bar for all certificate authorities. Browser vendors are somewhat limited in the available methods to sanction or remove their trust in widely used CAs: straightforward revocation of intermediates or root certificates runs the risk of disabling a large proportion of secure websites leading users to question not the CAs, but the browser software and the web site they are visiting.
23/05/2013: Edited to correct attribution of Microsoft's CA to Verizon Business.
Posted by Robert Duncan in Security, Around the Net
Advertisers Directory
Your link here? Advertising on the Netcraft Blog