HTTPS Zombies among Italian Public Administration’s web sites

SSL connections

Pubblica Amministrazione - valutazione rischi e beneficiTales of terror: SSL nightmare. Despite the fact that confidentiality, integrity and identity play a key role in the modern Internet, Italian Public Administrations seem to understimate how a HTTPS web site is important to establish confident relations with citizens.

We examined 8,494 web sites and tried to establish a TCP connection on port 443. Well, 3,776 (44.45%) responded, 3,191 (37.57%) gave ‘connection timed out’ and 1,485 (17.48%) gave ‘connection refused’; besides, for 42 destinations (0.49%) we received a ‘no route to host’ message (seriously? come on guys).

Now let’s focus on active web sites: out of 3,776, 14 redirected (HTTP/1.1 301) to TCP port 80. Often happens to me to observe connections to TCP 80 redirected to TCP 443 in order to force clients to use HTTPS, but never 443 to 80 (ok, never say never).

There are servers out there with self-signed certificates, 1,231 (14.49%) exactly. Or servers with expired certificates: 111 (1.3%).

SSL connections

Other numbers for different replies:

  • Unable to establish SSL connection: 345 (4.06%)
  • ERROR: no certificate subject alternative name matches: 1,494 (17.59%)
  • ERROR: certificate common name doesn’t match requested host name: 1,748 (20.58%)

Just 58 web sites have an accurate SSL setup: 0.68% of the examined web sites. That’s the bottom line.

So, I would warmly encourage any IT crew in Italian Public Administration to rapidly deploy and maintain good SSL certificates on all the web sites exposed to the Internet.

accurate SSL websites

[Raw hostnames from: ]

Creative Commons License
HTTPS Zombies among Italian Public Administration’s web sites by Antonio Prado is licensed under a Creative Commons Attribution-ShareAlike 4.0 International

Leave a Reply