CSS Research:

SSL Certificate Monitoring Survey

You may be reading this page because one or more IP endpoints on your network was visited by CSS’ Certificate Spider, which makes non-invasive HTTPS connections to public IP addresses on SSL/TLS port 443. The purpose of this study is to obtain a copy of the digital certificates used to secure transactions. We are conducting this study to help identify digital certificate usage across the internet and help prevent fraudulent digital certificate usage.

What we’re doing

Certified Security Solutions (CSS) has invested in an effort to gain continual oversight of the digital certificates used to secure SSL/TLS connections on the Internet. To do this, we have created a system we call the Certificate Spider, which is designed to make HTTPS connections to systems on the Internet to obtain information about these certificates. The Certificate Spider initiates an SSL handshake, obtains the certificates used to secure the transaction, issues an HTTP GET Robots.txt in order to provide a browser agent and identify ourselves, and makes no further inquiry of the system.

Why we’re doing it

Digital certificates form the basis for secure identity and enables secure e-commerce on the Internet. As with identities in the physical world, there can be dire consequences if someone impersonates an organization on the Internet, or uses falsified identification. However, SSL and the global Public Key Infrastructure (PKI) community is facing an unprecedented series of security challenges and attacks against this basis of trust. Fraudulently issued or “fake” certificates have become a significant security risk to organizations large and small, and even to the public at large, and can become the basis of phishing attacks, identity theft, and corporate espionage.

CSS is committed to helping secure the Internet SSL/TLS and PKI community by continually combing the Internet for fraudulent certificates.

This work is being done in preparation for participation in the Google-sponsored Certificate Transparency project.

What we’re NOT doing

CSS has not – and will not – make use of these SSL connections to perform network scanning actions such as penetration testing, cipher suite analysis, or vulnerability tests (e.g. Heartbleed, FREAK, etc.). Our goal is simply to obtain publicly-available certificate data as reflected in the reports below:

Public SSL Market Share report

 alt=

 

About CSS

Certified Security Solutions (CSS) is a security software and services company, specializing in digital identity and Public Key Infrastructure (PKI). Our Certificate Management System (CMS) software is widely used within a sizeable percentage of the Fortune 500 and Global 2000.

For More Information…

If you have questions or concerns, please send an email to research@css-security.com and we will be happy to further discuss the details of this research.

Custom sample SSL/TLS certificate reports are available at zero cost for your company, please also contact research@css-security.com, or click below to submit your request.

Request a Sample Report