Thursday, 1 July 2010

Qualys SSL research and lessons learned

This blog post is reaction to Qualys SSL research (see reactions here) and Security Now! podcast 255 which briefly covered the story.

The Qualys research process was as follows (simplified):
1. retrieve DNS domain names
2. check protocols open on the IP addresses related to the domain
3. check certificate on port 443

The result is a very good service SSLDB available on this URL:

However, the inherent problem with this process is that IP addresses may be shared between websites and a SSL check for one domain may actually be testing other website certificate.
The research was harshly criticised for flawed approach.

So is there a way to improve this situation? I think so.

What we need is to fully utilise a DNS feature that has been there for so long: SRV records.
Let me explain. Imagine you are owner of a website and you want all your users to prefer HTTPs. There is no way to tell the browser that there is HTTPs available on the server. But if you add following ecord and the bwowser checks it, they "Bob is your uncle": 86400 IN SRV 0 5 443 86400 IN SRV 0 5 80

This says to browser that the website is available on both http and https, so browser can simply go and connect on https.

Obviously, this requires domain administrators to populate DNS (not big deal) and web browsers to check for the SRV records. There is already an extension for Firefox that can prefer HTTPs, but this requires manual regular expression editing.
And it also means that DNS hosting companies need to allow their customer edit SRV records. My DNS company 123-reg certainly does not support it at the moment.

What do you think? Could this work and would it be useful? Worth an RFP?


Post a Comment