TLS on the Top 500 Websites
Sep 11, 2015 #programming #the internet #securityI recently watched a talk by Jacob Appelbaum about how Tor does TLS certificates, and how a bunch of users using certificates that expire in 2 hours is suspicious.
So I wondered, what does the average TLS certificate look like?
And since I’m a programer, I decided to go and gather some data. Thus, I wrote a tool to gather the information I wanted. “Make the data you want to see in the world." That’s how it goes, right?
A little bit about the tool before we dive into data: I wrote it using Go, the language I’m playing with lately. What it does is that it creates HTTPS connections the top 500 websites according to moz.com. The tool then logs some of the info about the TLS connection to a CSV file. You can find my data (updated as of September 11, 2015) right here.
The Data
Factoid #1: Only 170 out of the Top 500 websites support HTTPS at all.
That’s a little bit startling. By the numbers, that’s 44%
Factoid #2: Out of the Top 500 websites, Myspace has the oldest certificate.
Myspace’s TLS certificate was valid starting October 6, 2010 at 8:56 UTC. Their servers use the terribly outdated RC4 encryption algorithm, so it’s incredibly weak by today’s standards. However, their certificate will expire soon (October 6, 2015), so hopefully this will be upgraded by then.
Factoid #3: Some of the websites listed as supporting HTTPS actually redirect to HTTP
The biggest offenders of this include Forbes, the Wall Street Journal, and Slate. Now, I can’t point fingers (because my website has no encryption as of this post, but soon!), but these are huge companies with lots of $$$, not some broke college kid. TLS isn’t even computationally expensive, so these companies have absolutely no excuse. EDIT: This blog now uses HTTPS via Let’s Encrypt! Suck it, unencrypted websites!
Unfortunately, there’s currently no way I can detect these redirects with tlsinfo
yet. I suspect that in a future patch I’ll find some obvious way to do it.
Factoid #4: The average key lifetime for a TLS key is 675 days (~ 22 months). The mean key lifetime is 730 days (2 years).
Okay. The average TLS key lasts for 2 years. Not bad. However, 2 years is a long time with computers.
Factoid #5: The average key age 251 days old (~8 months), while the mean key age is 191 days old (~6 months).
This is not too surprising. It sounds about right.
Conclusion
As it turns out, there’s a lot of plaintext flying around the web. It’s not too interesting for most websites (i.e. most non-encrypted websites are news websites), but there are some potentially scary things you can do with plaintext.
For example, you could do a man in the middle attack or do simple monitoring of someone shopping on Amazon Deutschland (unencrypted), to see what they’re shopping for. Or you could, perhaps, infer someone’s political views by what news website or articles they read.
To answer what a Tor key should look like, keys generated for client sessions should be around 6 months old, and have a key lifetime of two years. Of course, there should be some randomization for how old the key is too (e.g. 6 months give or take 1 month). Even though keys are recycled every two hours or so, this will help Tor keys blend in more with the surrounding environment.
Anyhow, this was just a short article analyzing the current state of TLS certificates on the web. Thanks for reading.