The EFF SSL Observatory is a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web. We have downloaded datasets of all of the publicly-visible SSL certificates on the IPv4 Internet, in order to search for vulnerabilities, document the practices of Certificate Authorities, and aid researchers interested in the web's encryption infrastructure.
For the public, the slide decks from our DEFCON 18 and 27C3 talks are available, and you can also peruse our second map of the 650-odd organizations that function as Certificate Authorities trusted (directly or indirectly) by Mozilla or Microsoft.
Map Key:
Hexagon: root CA trusted by Microsoft only Black : signed 0 leaves
Diamond: root CA trusted by Mozilla only Violet: signed 1-10 leaves
Box : root CA trusted by both Blue : signed 11-100 leaves
Ellipse: subordinate CA Green : signed 101-1000 leaves
Yellow: signed 1001-10000 leaves
Orange: signed 10001-100000 leaves
Red : signed 100001-1000000 leaves
For the technical research community, our source code is available; you can fetch a copy with this command:
git clone https://git.eff.org/public/observatory.git
as well as a MySQL database dump (August 2010 MySQL dump), the raw data (August 2010 raw data), and the August 2010 CSV database dump are available. You can also use the Observatory in an Amazon EC2 instance we created.
Please note that the data and code are not polished; patches and help are welcome. Questions can be asked on the project's mailing list or directed privately to <ssl-survey - at - eff.org>.
We are particularly concerned about the role and practices of Certificate Authorities (CAs), which are the organizations that can sign cryptographic certificates trusted by browsers. These certificates can contain statements like, "this public key belongs to EFF.org", "this public key belongs to yahoo.com, paypal.com and mozilla.com", or "this public key should be trusted to also act as a CA, signing certificates for other domains".
Browsers trust a very large number of these CAs, and unfortunately, the security of HTTPS is only as strong as the practices of the least trustworthy/competent CA. Before publishing this data, we attempted to notify administrators of all sites observed vulnerable to the Debian weak key bug; please let us know if your analysis reveals other classes of vulnerabilities so that we can notify affected parties.
The data presented here is derived only from observing publicly-accessible servers and could have been collected by anyone. Research for this project is a collaboration between EFF and Jesse Burns at iSEC Partners. Thanks to the NLnet Foundation and SingleHop for supporting this work.