The way you position yourself in the network infra-structure is of very importance when doing data collection.
Users of a given ISP may have rogue certificates while others at the same country but another ISP may not. We as researchers need to position ourselves at different network scopes in order to detect more efficiently rogue certificates and thus identifying more effectively doubtful CA's or even individual persons beings monitored. All users reaching the same endpoint should have the same certificate. So this is an important technical aspect that must be addressed carefully. The best way I think would be making users from those countries run some probe (as volunteers) to get their "Certificates" View. Actually EFF partially advocates this by telling people how to run their SSL Observatory but at the same time they suggest doing it in a Cloud Environment, thus distorting the main purpose of sitting ourselves at different network locations when collecting data. On Thu, Sep 22, 2011 at 5:30 PM, Ralph Holz <[email protected]> wrote: > Hi, > >> study this more carefully and sooner as possible. SSL Observatory from >> EFF is a step forward but we need more. > > Their distributed observatory is probably going to help much here, but I > can offer the data sets from our paper. I'll put the paper online > tomorrow and paste the link here. > >> 1 - We need data on the details of certificates obtained from >> different geographic/government locations when pointing to popular >> endpoints such us google, facebook and so on > > We did not find any differences in the top 200 or so, and the rest did > not seem suspicious. See the links in the previous mail for the set of > differing certs. > >> 2 - We need to map/take_in_account clustered endpoints, like google, >> when doing this, since certificates differ in the clusters. > > We did not observe that too often (Microsoft did it, not sure about > Google), but yes, we would need to crawl such clusters. > >> 3 - Sitting ourselfs in different geographic locations when performing >> data collection should be done using different methods (use of >> proxy's, people from different countries submitting their certificates >> views..???). > > Sorry, I don't quite get that? > > Ralph > > -- > Dipl.-Inform. Ralph Holz > I8: Network Architectures and Services > Technische Universität München > http://www.net.in.tum.de/de/mitarbeiter/holz/ > > > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography > > _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
