On 21/09/2016 21:40, Rob Stradling wrote:
On 21/09/16 15:06, Rob Stradling wrote:
<snip>
I ran some queries earlier today on the crt.sh DB, to find all CNs,
dNSNames and iPAddresses in all unexpired certs whose issuer names
include either "WoSign" or "StartCom".  Then I cross-referenced that
with the latest PSL data to discover the unique base domains:


Someone contacted me off-list (thanks!) to point out that my lists were
incomplete.  I'd missed a load of base domains delegated below the new
gTLDs.  (I hadn't spotted that my local copy of
https://data.iana.org/TLD/tlds-alpha-by-domain.txt was rather out of date).

Updated count and gists...

WoSign:
  Unique Base Domains: 127,355

StartCom:
  Unique Base Domains: 259,712

https://gist.githubusercontent.com/robstradling/813138699b8527c1af58b4aa784c2d8f/raw/11fc8efbb0e594a12b3c5e2e76d9a9e474e24ea9/wosign_base_domains.txt

https://gist.githubusercontent.com/robstradling/813138699b8527c1af58b4aa784c2d8f/raw/11fc8efbb0e594a12b3c5e2e76d9a9e474e24ea9/startcom_base_domains.txt

WoSign:
  Unique CNs/dNSNames: 395,222
  Unique Base Domains: 118,785
  Unique IP Addresses: 154

StartCom:
  Unique CNs/dNSNames: 706,020
  Unique Base Domains: 249,841
  Unique IP Addresses: 0
<snip>


While you are at it:

1. How many WoSign/StartCom certificates did you find with domains not
  on that IANA list?

2. How many WoSign/StartCom certificates did you find for other uses
  than https://www.example.tld:

2.1 Certificates for "odd" subdomains such as "extranet.example.com"

2.2 Certificates for e-mail

2.3 Code signing certificates

2.4 Others?



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to