Welcome to SSLFail

Posted by Tyler on January 12, 2009
Site Related

Welcome to SSLFail!

Lately there seems to be a lot of SSL discussion, and not just the recently released ‘Rogue CA‘ presentation. There have been speakers at several cons, blog posts, and conversations lately around the subject of SSL.

Marcin and I were discussing some of the recent failures that we’ve seen and that others have mentioned and decided that we needed a place to bring all of these together, to point out that companies are failing at SSL. Marcin suggested mismatched.com, however the domain was already taken and as I typed in random things, I stumbled across the availability of SSLFail.com. It seemed to work well, so I registered it and 24 hours later here we are.

One of my coworkers, Jay, spends a lot of time playing with SSL… both at work and on his own. So naturally when the thought of blogging about SSL came to mind, so did his name. I pinged him and sure enough, he was interested.

So here we are, the three of us (for now). I invite anyone interested in writing here to contact us.

Enjoy,
Tyler.

5 Comments to Welcome to SSLFail

Michael Dickey
January 13, 2009

Pre-comment question: Are you accepted screenshots of prominent sites whose logins are not SSL-protected? :)

Ugh. The state of browsers right now has made screenshots of ssl failures so amazing. Every little discrepancy (or less money spent on ‘normal’ certs) results in error pages. It’s pretty ridiculous.

I can’t wait to go to IE7/FF3 in my work environment (I use it, but it’s not installed widely on users). I have about 40 internal-only web servers hosting roughly 300 different sites internally (mostly development copies of public sites). Every one is protected by a non-EV SSL internally-signed cert. Let alone almost all of my network devices…

The band-aid of error alerts and green address bars to increase user awareness doesn’t work, and was a stupid idea in the first place (way to make more money for CAs). It would be just a minorly stupid idea if it weren’t so forced… :(

Sorry, the state of SSL is a bit of a peeve of mine. I don’t mind if a site like http://www.gmail.com uses the http://www.google.com SSL, but I do mind that browsers have moved away from pop-up warnings that can be turned off to obscure full-page warnings that make it sound like the site is evil and broken.

jgraver
January 13, 2009

Just wait until our posts on EV SSL Certs :-)

If you find some great sites with non-SSL logins, send us the link.

Marcin
January 13, 2009

Michael, You do know you can install your own CA into IE and Firefox before you rollout. This would prevent your users’ browsers from popping up an error on internally hosted applications using SSL.

Cd-MaN
January 22, 2009

Hello guys.

Inspired by this site, I did a little research of my own: http://hype-free.blogspot.com/2009/01/sslfail.html

The results are incredible (incredibly sad): less than 5% of the sites have proper certs. If you would like to get the final list or the script I used, let me know (it can keep this blog updated for years :-( ).

ToddH
January 25, 2009

I think SSL failures and the reliance on self-signed certs in many products is a great area to highlight. The recent browser warnings have served to bring it into focus where it was previously ignored by many.

We spent a lot of time designing our product (and paying for thousands of genuine SSL certs) to avoid exactly this problem. My cofounder blogged about it last year at http://www.napera.com/blog/?p=52. An SSL certificate failure in our product is treated as a showstopper bug.

Leave a comment

WP_Big_City