On 03/06/15 16:15, Richard Barnes wrote:
+1 to Eric's praise. Nice idea.
Thanks Richard. :-)
Even better if you were to open-source the code ;)
That's a conversation I've yet to have with my employer.
David Keeler has done some work on visualizing certs that may be helpful.
http://people.mozilla.org/~dkeeler/certsplainer/
https://github.com/mozkeeler/certsplainer
I'll take a look. Thanks.
I notice that % is your wildcard character. Hopefully this doesn't
indicate a SQL injection risk!
What sort of SQL injection risk are you concerned about?
http://en.wikipedia.org/wiki/SQL_injection
"SQL injection is a code injection technique, used to attack data-driven
applications, in which malicious SQL statements are inserted into an
entry field for execution (e.g. to dump the database contents to the
attacker)"
"to dump the database" is kinda the point of crt.sh. :-)
All of the data is already public (in the CT logs). I would happily
permit searches for "?q=%25" if I had unlimited bandwidth and server
performance. (Currently any search that's still running after a minute
or two is automatically killed).
Also, the database used by https://crt.sh is a read-only slave, so even
if you could inject something like "DROP TABLE certificate", it would
fail to execute.
Sent from my iPhone. Please excuse brevity.
On Jun 3, 2015, at 10:01, Rob Stradling <[email protected]> wrote:
On 03/06/15 14:43, Eric Mill wrote:
This is outstanding - simple, but totally what people need to start
getting the idea and benefit of CT.
Thanks Eric. :-)
One high ROI addition might be RSS feeds for search terms. That way, I
could create e.g. an IFTTT alert that emails me whenever a certificate
is publicly logged as being issued for my domains.
Indeed. It's on the todo list.
-- Eric
On Wed, Jun 3, 2015 at 8:56 AM, Rob Stradling <[email protected]
<mailto:[email protected]>> wrote:
Hi. I thought folks here might find this useful. It's a web
interface that lets you search for certs that have been logged by CT.
https://crt.sh
Pronounced "search". :-)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
