Tuesday, July 6, 2010

Comodo Wants Clarification on Qualsys SSL Marketplace Study

Comodo urges Qualys and Ivan Ristic, director of engineering at the security research firm to clarify his recent statements made during a webcast and reported by eSecurity Planet.com regarding Qualys upcoming marketplace study on SSL deployments and their shortcomings.  On June 30th I mentioned that Slashdot posted a story stating that a new study by Qualsys determined that:



22 Million SSL Certificates In Use Are Invalid

(from Slashdot at 29-6-2010)

While SSL certs are widely used on the Internet today, a new study from Qualys, set to be officially released at Black Hat in July, is going to show some shocking statistics.



Among the findings in the study is that only 3% of SSL certs in use were actually properly configured.



Quoting: '"So we have about 22 million SSL servers with certificates that are completely invalid because they do not match the domain name on which they reside," Ivan Ristic, director of engineering at Qualys, said.... 
read more»





Read more: http://pindebit.blogspot.com/2010/06/22-million-ssl-certificates-invalid.html#ixzz0subdIJhE



Based on Mr. Ristic’s published comments, Comodo believes that the study will overestimate the number of SSL certificates and incorrectly state the number of those SSL certificates that are invalid because they do not match the domain name on which they reside.



"The methodology of the study is unclear and the paper, once published, could misrepresent the true SSL market and industry, judged by the statements made to the public already", according to Melih Abdulhayoglu, chief executive officer of Comodo.



Ristic’s assertion that "only 23 million of the sites were actually running SSL", is a great miscalculation because commercial Certificate Authorities have sold a substantially fewer than 23 million certificates, according to Comodo.



The claim that 22 out of 23 million of SSL servers with certificates in use today are not configured correctly is also a distortion. "Stating that nearly 97 percent of certificates are invalid because they don’t match the domain name is simply incorrect – the majority of those SSL certificates were never acquired for that domain name." Abdulhayoglu said.



For example, a webhost may host 100 domain names on a single IP address. Of those, just three sites are SSL enabled, while the other 97 are not. Qualys study would suggest that there are 100 SSL enabled sites with 97 domains misconfigured due to mismatch of the domain name. Yet, only three domains at that IP address are actually configured for the SSL certificate, while the remaining 97 are not configured for SSL at all.



Comodo believes this over-reporting of 'misconfigured' sites would be a disservice to the general public, could damage the reputations of ISPs, webhosts and Certificate Authorities, and ultimately, could have a detrimental effect on e-commerce.



"Ivan Ristic is an experienced security researcher and is held in high regard by all at Comodo" Abdulhayoglu continued, "but these interim figures paint an inaccurrate picture of SSL deployment because they are not properly clarified. We urge him to review these figures before publishing or presenting this to an informed audience."



Comodo has published its latest marketshare findings on http://www.whichssl.com , and has also released an SSL Analyzer tool currently in Beta, available at https://sslanalyzer.comodoca.com/. These resources are free to the public and help organizations and individuals evaluate their SSL certificates and verify its configuration in order to comply with PCI requirements.



About Comodo



Comodo is a leading brand in Internet security. With US Headquarters in New Jersey and global resources in UK, China, India, Ukraine, and Romania, Comodo provides businesses and consumers worldwide with security and trust services, including digital certificates, PCI scanning, desktop security, and remote PC support. Securing online transactions for over 200,000 businesses, and with more than 25 million desktop security software installations, including an award-winning firewall and antivirus software, Comodo is Creating Trust Online®. For more information, visit Comodo's website.







Source: Company press release.
Enhanced by Zemanta

Disqus for ePayment News