Report: The main reason for most SSL certificate signing errors is software errors

A recent academic study found that software errors and misunderstandings of industry standards are the most common causes of most error-issued SSL certificates, accounting for up to 42% of all error events. The study, written by a team at the School of Informatics and Computing at Indiana University Bloomington, studied 379 instances of SSL certificate issuance errors and found more than 1,300 known incidents.

Researchers collected event data from public sources, such as Mozilla’s Bugzilla tracker and the online forum discussion forums for Firefox and Chrome security teams. The purpose of the study was to examine how certification authorities (CAs) comply with industry standards and the most common reasons behind SSL certificate issuance errors.

The research team came to the conclusion that most errors that issue SSL certificates are caused by software errors. Of the 379 cases they analyzed, 91 (24%) were caused by software errors in a software platform at CA, resulting in customers receiving incompatible SSL certificates.

The second most common reason is that CA misunderstood the CA/B Forum rules, or the CA did not know that the rules had changed, as was the case with 69 cases, accounting for 18% of all SSL certificate issue errors.

The malicious root CA caused the problem data to occupy third place. There are 52 SSL certificate issuing error cases (accounting for 14% of all analysis events). CA deliberately evil, destroying industry rules for profit, for example, they will give the middleman attacker sells the certificate.

Source: ZDNet