On 04/24/2014 05:04 AM, Radu Hociung wrote:
On Wednesday, April 23, 2014 6:00:41 PM UTC-4, Eddy Nigg wrote:
I do have a few questions to you! How can you know that a site using a
certificate from ANY CA isn't or wasn't affected by the Heartbleed bug?
I'm planning on a more thorough answer that cross references the SSL
observatory data from 2010 with a fresh update, and with published CRLs. One
would expect that each CA would have about 17% of their issued certificates be
revoked and re-keyed due to heartbleed. In a day or two I should have some
stats.
Don't waste your time, I'll help you....: https://isc.sans.edu/crls.html
Now, using current data from Netcraft which I'm not really allowed to
publish shows StartCom with slightly above 100,000 certificates. Without
leaking any more data from Netcraft I can tell you that the revocation
rate of StartSSL is in fact higher than any other CA except GlobalSign,
but their situation is unique (and maybe also problematic due to the CRL
size).
Assuming that 17% of all certificates were affected by teh bug you can
see easily that about 1.5% of all certificates were revoked in average
excluding GlobalSign. StartCom's revocations is currently slightly short
of 2%, above average.
It also means that in average there are still 15.5% of certificates that
might be affected and still not revoked, assuming none of them expired.
Not that I believe that those keys in fact have been compromised, but
applying your logic there are a bunch of CAs you probably should disable
now.
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: [email protected] <xmpp:[email protected]>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
