Really Peter? 219K Sites?
I'm not Seth Meyer. I'm not a television star. I don't have a team of writers feeding me stuff on cue cards.
That said....
According to an article by Fred Aun, Peter Alguacil from Pingdom released a report recently suggesting "there are probably 219,000 sites with outdated SSL certificates."
Probably.
Fred, who rounded the original 219K figure from Peter up to 250K in his posting, goes on to describe the "bit of math" that Peter used to come to this conclusion using data from two different sources. First, Netcraft estimates there are one million sites with valid SSL certificates. Next, a report by Venafi released in 2007 suggests 18% of Fortune 1000 sites had expired certificates. So then Peter does the math and says that since Netcraft does not count invalid certificates, if we were to estimate 18% of one million, we'd probably end up with 219,000 sites.
That sounds a lot like the math we used to get in the venture capital world during the Dot Com boom. "There are 300 million people on the internet, and if I can get just 1% of those to pay me $20, we will have $60 million in revenue! IT'S SO FREAKING EASY! So your $10 million, no strings attached, cash investment is basically like buying bars of gold and leaving them in a vault! CHA-CHING BABY!"
Are there sites out there with expired certificates? Abso-freaking-lutely. Are they sites that you use every day and trust? Probably not.
Sure, we're all human, and sometimes we make mistakes. If a large company does not single source its certificates through a company like VeriSign that can offer a managed solution to prevent something like that from happening, it is feasible that sites like Google or Yahoo could end up with an invalid certificate for a few hours. It has happened in the past.
The moral of this story is, any time an alert comes up in your browser about a problem with a certificate, you should be wary. There are too many attacks out there to ignore those warnings.
The moral of this blog post is math is great. "Dot Com math" should be questioned.
Comments
I think the most egrigous violators of expired certificates would be site admins with an internal or trusted site. The ones I usually notice are Intranet sites, or Extranet sites that don't necessarily have sensitive information. You can easily picture the professionals and "informed elite" recognizing the error code but proceeding because they know its expired and cant afford to update it (read: cant be bothered to update, cant take the time to update, or really cant afford the CAs fee to sign a new certificate.)
Posted by: Jeff Pettorino | February 10, 2009 9:29 AM