Report States that Most SSL Certificates are Invalid

In a post we made last Tuesday, we talked a bit about EFF’s latest Firefox extension, called “HTTPS Everywhere”. The goal of this extension is to automatically enable a secure connection to a website if one is available, as long as it’s defined. In the launch version, sites supported right out of the box include Google, Wikipedia, Facebook, Twitter, PayPal, and more. It’s a simple extension, but a useful one.

HTTPS stands for “hypertext transfer protocol secure”, and to see if it’s active on a given website, the site’s address would begin with https://. Generally, HTTPS isn’t used for all pages on a given website, but rather only for the sensitive data transactions, such as logging into an account. For banks and other financial sites, HTTPS should be active 100% of the time, as it encrypts the data transfer, making sure that even if you’re network traffic is intercepted, the guilty party will see nothing but garble.

In order for HTTPS to function properly, the server must be using an SSL certificate that refers to the exact domain that the data is going to be transferred to. For example, if I was using PayPal’s site and the certificate told me the URL was being transferred to something like PayyPall.com, then it’d be clear that something fishy would be going on, and it should be dropped. Generally, if SSL is enabled and checks out, you can remain confident in your usage on that site.

If SSL is set up correctly on the server it’s being used on, then that’s great. But believe it or not, research firm Qualys has discovered that most sites using SSL are not using it correctly. This is an obvious problem, because in some cases, it means that the data you transfer over isn’t secure and can be discovered by someone else. The reasons for this happening could be vast, but most seem to be nothing more than a simple configuration issue.

It’s important to note, though, that a mismatched domain isn’t always a major issue, since the data can still be encrypted. In some cases, it might be up to you to make the discretion about moving forward, but if it’s anything involving money, it’s important to take extreme caution. To see if a site is secure or not, most modern browsers will spawn a lock icon somewhere that can be clicked, and some will even tell you if the transmission is being transferred to another domain.

Regardless of whether or not this many invalid SSL certificates are a real issue or not, it does emphasize the need to be careful online. But, you already knew that.

SSL certificates can be generated for any domain name. It is considered to be a best practice that the name on the SSL certificate matches the name of the domain on which the SSL certificate is being used, though Ristic’s research shows that’s not always the case. “Only about 3.17 percent of the domain names matched,” Ristic said. “So we have about 22 million SSL servers with certificates that are completely invalid because they do not match the domain name on which they reside.”