HTTPS-Obs[HTTPS Observatory -- concluded on 2011/02]
The project collects an Internet-wide dataset of all publicly visible TLS CA certificates in order to
- search for CA-certified Man In The Middle (MITM) attacks against HTTPS privacy and
- measure the extent to which browsers really need to trust 60-200 CAs completely.
Extended datasets measuring from multiple source networks (via Tor) and using SNI will also be collected.In collaboration with volunteers from security consulting firm iSEC Partners, EFF intends to write a program that accesses every Web server on the public IPv4 Internet running HTTPS on port 443. We will create a complete dataset of the certificates each server offers to visitors. Then we will analyze the data, comparing:
- Who is the Certificate Authority?
- For which domains is the certificate valid?
- Where is the machine issuing the certificate located?
- Who operates that network
With these data it will be possible to answer the following questions:
- How many CA services are used by publicly accessible sites? Which ones are rarely used?
- Can one find evidence of specific MITM attacks in the form of publicly visible attack servers (that victims in the wild would have been redirected to via DNS or other mechanisms) or in the form of network-layer attacks detected against our own survey machines? Concrete evidence would be useful for motivating browser developers to adopt more secure trust models.
- How many domains intentionally use more than one apparently legitimate, apparently valid certificate at the same time? (This impacts on the design of enhancements to the TLS trust model)
- How many sites in the wild show different valid certificates to users who come from different parts of the Internet?
- How many CAs are used primarily or exclusively in particular countries or DNS domains?