Yesterday I knocked together a script that: scrapes a URL (or a list of
URLs) for certificate files; then attempts to build a trust chain (using
https://crt.sh/gen-add-chain) for each certificate found; then submits
to some CT logs any trust chains that crt.sh hasn't previously seen.
I've thrown the code up on GitHub [1].
Overnight I left certscraper to scrape the following lists of URLs:
- the disclosure URLs that CAs provided in response to Mozilla's May
2014 CA Communication [2].
- the CP/CPS URLs currently listed in the CCADB (some of which appear
to be repository pages).
- the Belgian Government eID repository pages [3].
certscraper found...
- 8 DigiCert intermediates (found on [4]) that should've been already
disclosed to CCADB, but weren't:
https://crt.sh/?id=135966905
https://crt.sh/?id=135966906
https://crt.sh/?id=135966907
https://crt.sh/?id=135966908
https://crt.sh/?id=135970325
https://crt.sh/?id=135970327
https://crt.sh/?id=135970329
https://crt.sh/?id=135970332
- 10 Belgian eID intermediates:
https://crt.sh/?id=135626971
https://crt.sh/?id=135626972
https://crt.sh/?id=135626973
https://crt.sh/?id=135626974
https://crt.sh/?id=135626975
https://crt.sh/?id=135626980
https://crt.sh/?id=135626981
https://crt.sh/?id=135626982
https://crt.sh/?id=135626983
https://crt.sh/?id=135626984
Another 1 undisclosed Belgian eID intermediate
(https://crt.sh/?id=135002620) had appeared in crt.sh a couple of days
earlier.
It would seem that DigiCert noticed these 19 intermediates appear on
https://crt.sh/mozilla-disclosures#undisclosed whilst I was asleep,
because they've all now been disclosed to the CCADB.
They should've been disclosed some time ago, however.
[1] https://github.com/robstradling/certscraper
[2]
https://docs.google.com/spreadsheets/d/1v-Lrxo6mYlyrEli_wSpLsHZvV5dJ_vvSzLTAMfxI5n8/pubhtml
[3]
https://github.com/robstradling/certscraper/blob/master/url_lists/belgian_eid.txt
[4] https://www.digicert.com/digicert-root-certificates.htm?show=all
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
