Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Comodo Seeks Clarification on SSL Certificate Validity Study

Comodo Group : 05 July, 2010  (Technical Article)
Researchers at Comodo believe a recent Qualys study will overestimate the number of valid SSL certificates deployed and seek clarification on the methodology
Comodo urges Qualys and Ivan Ristic, director of engineering at the security research firm to clarify his recent statements made during a webcast and reported by eSecurity regarding Qualys upcoming marketplace study on SSL deployments and their shortcomings.

Based on Mr Ristic's published comments, Comodo believes that the study will overestimate the number of SSL certificates and incorrectly state the number of those SSL certificates that are invalid because they do not match the domain name on which they reside.

'The methodology of the study is unclear and the paper, once published, could misrepresent the true SSL market and industry, judged by the statements made to the public already', according to Melih Abdulhayoglu, chief executive officer of Comodo.

Ristic's assertion that 'only 23 million of the sites were actually running SSL', is a great miscalculation because commercial Certificate Authorities have sold a substantially fewer than 23 million certificates, according to Comodo.

The claim that 22 out of 23 million of SSL servers with certificates in use today are not configured correctly is also a distortion. 'Stating that nearly 97 percent of certificates are invalid because they don't match the domain name is simply incorrect - the majority of those SSL certificates were never acquired for that domain name.' Abdulhayoglu said.

For example, a webhost may host 100 domain names on a single IP address. Of those, just three sites are SSL enabled, while the other 97 are not. Qualys study would suggest that there are 100 SSL enabled sites with 97 domains misconfigured due to mismatch of the domain name. Yet, only three domains at that IP address are actually configured for the SSL certificate, while the remaining 97 are not configured for SSL at all.

Comodo believes this over-reporting of 'misconfigured' sites would be a disservice to the general public, could damage the reputations of ISPs, webhosts and Certificate Authorities, and ultimately, could have a detrimental effect on e-commerce.

'Ivan Ristic is an experienced security researcher and is held in high regard by all at Comodo' Abdulhayoglu continued, 'but these interim figures paint an inaccurrate picture of SSL deployment because they are not properly clarified. We urge him to review these figures before publishing or presenting this to an informed audience.'

Comodo has published its latest marketshare findings and has also released an SSL Analyzer tool currently in Beta. These resources are free to the public and help organizations and individuals evaluate their SSL certificates and verify its configuration in order to comply with PCI requirements.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo