On 21/09/16 10:21, Gervase Markham wrote:
> On 12/09/16 22:46, Ryan Sleevi wrote:
>> Consider if we start with the list of certificates issued by StartCom
>> and WoSign, assuming the two are the same party (as all reasonable
>> evidence suggests). Extract the subjectAltName from every one of
>> these certificates, and then compare against the Alexa Top 1M. This
>> yields more than 60K certificates, at 1920K in a 'naive' whitelist.
>>
>> However, if you compare based on base domain (as it appears in
>> Alexa), you end up with 18,763 unique names, with a much better
>> compressibility. For example, when compared with Chrome's Public
>> Suffix List DAFSA implementation (as one such compressed data
>> structure implementation), this ends up occupying 126K of storage.
> 
> Can you tell us how many unique base domains (PSL+1) there are across
> WoSign and StartCom's entire certificate corpus,

Hi Gerv.

I ran some queries earlier today on the crt.sh DB, to find all CNs,
dNSNames and iPAddresses in all unexpired certs whose issuer names
include either "WoSign" or "StartCom".  Then I cross-referenced that
with the latest PSL data to discover the unique base domains:

WoSign:
  Unique CNs/dNSNames: 395,222
  Unique Base Domains: 118,785
  Unique IP Addresses: 154

StartCom:
  Unique CNs/dNSNames: 706,020
  Unique Base Domains: 249,841
  Unique IP Addresses: 0

> and what that might look like as a DAFSA?

I don't know how to answer that question, but hopefully the lists of
unique base domains that I generated will help...

https://gist.githubusercontent.com/robstradling/813138699b8527c1af58b4aa784c2d8f/raw/902883344a973103020c35a905d6c25bd4994887/wosign_base_domains.txt

https://gist.githubusercontent.com/robstradling/813138699b8527c1af58b4aa784c2d8f/raw/902883344a973103020c35a905d6c25bd4994887/startcom_base_domains.txt

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to