Network security for encrypted channel based on reputation

What is claimed is: 1 . A network security device comprising: a recognition engine to recognize and parse an initial handshake used to establish an encrypted channel between two endpoints; a validation engine to validate a certificate chain between the two endpoints; a reputation engine determine a respective reputation for each of one or more certificates in the certificate chain; and wherein the reputation engine is further to determine a certificate reputation for the certificate chain. 2 . The network security device of claim 1 , further comprising: a security action engine to perform a security action based on the certificate reputation. 3 . The network security device of claim 1 , wherein the respective reputations are based on at least one of: a whitelist and a reputation feed. 4 . The network security device of claim 3 , wherein each of the certificates is associated with a respective signer, and wherein if the respective signer of one respective certificate is not on the whitelist or the reputation feed, the respective reputation is set to a predetermined level indicating that the reputation is permissible. 5 . The network security device of claim 1 , wherein one of the certificates cannot be validated, and wherein the respective reputation the one certificate is set to a predetermined level indicating that the reputation is not permissible. 6 . The network security device of claim 1 , further comprising: a signature type engine to determine whether the certificate chain is self-signed by one of the endpoints, wherein a respective signer of one of the certificates is the one endpoint, wherein if the one certificate is self-signed, perform analysis to determine whether the one certificate is at least one of abnormal and carries an indicator that an illegitimate certificate is in use. 7 . The network security device of claim 1 , wherein the certificate reputation is based on an average value of the respective reputations and a value of the worst one of the respective reputations. 8 . The network security device of claim 1 , the respective reputation of one of the certificates is based on a reputation feed and a meta-analysis of the one certificate. 9 . A method for using a network security device comprising: recognizing and parse an initial handshake used to establish an encrypted channel between two endpoints; validating a certificate chain between the two endpoints, wherein the certificate chain includes a plurality of certificates, wherein the respective certificates are each associated with a signer; determining a respective reputation for the certificates, wherein the respective reputation is based on at least one of: a whitelist, a reputation feed, and a self-signed rule; determining a certificate reputation for the certificate chain based on the respective reputations to reflect a trustworthiness of the certificate chain; and performing a security action based on the certificate reputation. 10 . The method of claim 9 , wherein the certificate reputation for the certificate chain is based on an average value of the respective reputation and a value of the worst one of the respective reputations, and the security action is based on a rule using the average value and the worst value to determine whether to allow a communication via the encrypted channel to pass. 11 . The method of claim 9 , further comprising: determining whether the certificate chain is self-signed by one of the endpoints because the respective signer of one of the certificates is the one endpoint, determining that a respective domain of the respective signer is not a natural language domain, wherein the respective reputation for the signer is set to a predetermined level indicating that the reputation is not permissible; and wherein the security action is to not allow a communication via the encrypted channel. 12 . A non-transitory machine-readable storage medium storing instructions that, if executed by at least one processor of a network security device, cause the network security device to: parse an initial communication to establish an encrypted channel between two endpoints; validate a certificate chain between the two endpoints, wherein the certificate chain includes one or more certificates, and wherein the one or more certificates are respectively associated with a respective signer; determine a respective reputation score for the certificates; determine an average reputation value from the respective reputation scores and determine a worst value reflecting a worst one of the reputation scores; and perform a security action based on the determined averaged reputation value and the worst value. 13 . The non-transitory machine-readable storage medium of claim 12 , wherein the respective reputation score of one of the certificates is based, at least in part on the respective signer and is based on a reputation feed and a meta-analysis of the one certificate associated with the one signer. 14 . The non-transitory machine-readable storage medium of claim 12 , wherein one of the certificates cannot be validated, and wherein the respective reputation score of the one certificate is set to a predetermined level indicating that the reputation is not permissible. 15 . The non-transitory machine-readable storage medium of claim 12 , wherein the respective reputations are based on at least one of: a whitelist and a reputation feed associated with the respective signer, and wherein if the respective signer of a respective certificate is not on the whitelist or the reputation feed, the respective reputation is set to a predetermined level indicating that the reputation is permissible.