I've finally found some time to analyse the data from last months scan
to see what happens when additional roots are removed[1,2].
The scan took place between 11th and 19th of July 2014.
Sites scanned are taken from Alexa top 1 million sites as of 11th of July.
Overall, the certificate stats look like this:
Statistics from 440559 chains provided by 585568 hosts
Server provided chains Count Percent
-------------------------+---------+-------
complete 363296 62.0416
incomplete 29441 5.0278
untrusted 192831 32.9306
Trusted chain statistics
========================
Chain length Count Percent
-------------------------+---------+-------
2 2385 0.5414
3 428839 97.3397
4 9314 2.1141
5 21 0.0048
CA key size in chains Count
-------------------------+---------
ECDSA 256 3
ECDSA 384 3
RSA 1024 1718
RSA 2045 1
RSA 2048 868749
RSA 4096 17615
Chains with CA key Count Percent
-------------------------+---------+-------
ECDSA 256 3 0.0007
ECDSA 384 3 0.0007
RSA 1024 1708 0.3877
RSA 2045 1 0.0002
RSA 2048 438889 99.6209
RSA 4096 17235 3.9121
Signature algorithm (ex. root) Count
------------------------------+---------
ecdsa-with-SHA384 3
sha1WithRSAEncryption 384856
sha256WithRSAEncryption 49903
sha384WithRSAEncryption 12768
Eff. host cert chain LoS Count Percent
-------------------------+---------+-------
80 385704 87.5488
112 54852 12.4505
128 3 0.0007
Removing the Thawte 1024 bit roots[1] causes following changes:
Untrusted: +33 sites.
Incomplete chain: +153, -2 sites.
Complete chain: -184 sites.
Sites that become untrusted:
aclen...@199.242.144.30
brillen...@83.141.56.30
copagloj...@54.225.100.66
cqccms...@124.207.135.23
datatil...@80.232.122.99
drew...@77.75.249.212
easy-fo...@64.14.56.6
fachverlag-com...@78.111.65.215
foreverwe...@208.77.51.191
gold-supe...@94.186.152.196
gold-to...@94.186.152.196
gol...@194.97.154.131
gumball...@134.0.19.106
joker...@89.250.52.17
loyte...@88.198.4.4
madeind...@194.213.124.118
meven...@78.47.246.235
motor-...@94.198.62.121
nct...@193.120.166.32
nct...@193.120.166.32
now...@119.146.222.146
pctonl...@66.181.99.28
recycling...@66.181.99.26
santan...@212.78.166.49
showoffi...@91.216.34.51
slotas...@54.204.19.24
tcd...@134.226.14.90
todayn...@119.146.222.146
whitire...@202.2.11.59
www.cqcc...@125.35.1.213
www.n...@119.146.222.153
www.toda...@119.146.222.153
www.u...@131.128.1.19
Adding certificate from comment 13 from bugzilla[1] changes the stats
compared to above results in very small way, only 6 hosts loose untrusted
status:
aclen...@199.242.144.30
cqccms...@124.207.135.23
easy-fo...@64.14.56.6
madeind...@194.213.124.118
santan...@212.78.166.49
www.cqcc...@125.35.1.213
So in total, removal of certificates referenced in [1] makes at least 27 hosts untrusted.
Removal of the GTE root has bigger impact:
complete -86
incomplete +17, -8
untrusted +77
since the list is so large I won't be quoting it here.
As such, I'd say that removing those roots now would be premature.
1 -
https://bugzilla.mozilla.org/show_bug.cgi?id=986014
2 -
https://bugzilla.mozilla.org/show_bug.cgi?id=1047011
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hka...@redhat.comg
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic