During the recent investigation of certificates and SSL, a co-worker (Ola) forwarded a web link about an organization that is analyzing web SSL certificates. The information was very relevant and interesting.
The EFF SSL Observatory
The EFF SSL Observatory is a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web. We have downloaded a dataset of all of the publicly-visible SSL certificates, and will be making that data available to the research community in the near future.
The best way to get started is by looking at the slide deck. The overall summary indicates that things need to tighten up quite a bit to provide a more secure environment. It is too easy to make mistakes and open security holes. The philosophy of exposure reminds me of the work done by W. Richard Stevens for TCP/IP many years ago. The more an item is explored, the more likely its vulnerabilities and flaws will be seen.
This post resulted from cleaning up the inbox and realizing that this information was valuable enough to share.