# HTTPS Support¶

## Four states¶

### Invalid Certificate -- A HTTPS server answered, but the certificate couldn't be validated¶

In [312]:
plot_https_support()


# Main results¶

## HTTPS support grew from 40% to nearly 47%¶

In [319]:
plot_combined_errors()


## Across registrars, is the distribution of errors and support even?¶

In [328]:
plot_reg_https_use_distribution()

In [340]:
plot_age_group_https_support()


# Protocol Support¶

## An active HTTPS server can support multiple secure protocols¶

### Secure Socket Layer (SSL) and Transport Layer Security (TLS)¶

Protocol Release Date Deprecation Date
SSL v2.0 Feb 1995 2011
SSL v3.0 1996 June 2015
TLS v1.0 Jan 1999
TLS v1.1 Apr 2006
TLS v1.2 Aug 2008
TLS v1.3 IETF draft
In [343]:
plot_proto_support()


## Let's simplify the view¶

### Group protocol support by¶

#### Bad -- Supports SSL v2.0 or SSL v3.0¶

In [347]:
plot_overall_proto_support()


# What about the distribution across registrars¶

In [353]:
plot_reg_https_support_distribution()


# Certificate Public Keys¶

• SSL and TLS rely on certificates issued by Certificate Authorities to authenticate the website
• The certificate contains a cryptographic key to encrypt traffic
• Cryptographic keys can be RSA, DSA or ECC
• Cryptographic keys size is measured in bits. Key size depends on the algorithm.
In [356]:
plot_cert_pub_key()


# Cryptographic keys can be weak, acceptable or strong¶

Type Criteria
Weak RSA keys with size under 2048-bits
Acceptable RSA keys between 2048 and 3072 bits
Strong RSA keys of at least 3072 bits and ECC keys of size 256 or more
In [359]:
plot_key_strength()


# Protocol features¶

## Test for optional protocol features¶

• Session resumption: Faster connection re-establishment when connection is dropped or when talking to a server farm
• Server renegotiation: Establish a new SSL connection with different parameters over an existing SSL connection
• SSL/TLS compression: Not recommended feature, with low support from servers and potential for security vulnerabilities like CRIME and BREACH
• HSTS: HTTP Strict Transport Security, protection against protocol downgrade attacks.
• Client renegotiation: Signals the server allows client-side renegotiation. Considered a potential to attack, as a set of client can exhaust the server resources.
In [367]:
plot_protocol_features()


# Certificate Authorities¶

• Certificates are issues by Certificate Authorities
• Browsers are configured to trust a set of CAs
• It's relatively simple to set up your own CA
• Trust within the browsers needs to be setup as well
• There are 841 unique CA identified in the data, pick the largest for analysis
In [414]:
plot_ca()


# There is a lot of variation across the market, let's take a closer look¶

In [416]:
plot_ca_diff()


# Main observations in the CA market¶

## Important losses for GeoTrust Inc and GoDaddy¶

In [418]:
plot_age_ca()


## What's the relation between DNS/HTTPS and domain drops?¶

### If a domain no longer exists in 2018, is marked as "Deleted"¶

In [411]:
domain_state_change_plot()