On 11/07/2011 05:41 PM, Ralph Holz wrote: > Did you check to which IP addresses these resolve, and stored the IP > addresses? We did that for the last few of our scans, but I haven't > found the time yet to feed it into the DB.
I did not store the IPs, only checked IPs manually. >> - self-signed certs popping up along with CA-issued ones seem rather common, >> sometimes it's just once, sometimes both coexist for long time (e.g. >> accessanywhere.net, webaccess.gtbankuk.com) > > Interesting. Self-signed certs did not appear on "high-value" domains in > our samples. But that doesn't have to mean anything, of course, we > haven't tried that many. In most instances the self-signed cert appears only for a short time (one scan or day-two out of the 40-day period), which suggests that likely a new machine was installed or some other reconfiguration was done. I had to look hard for any "high value" domain. In your datasets (the difference sets) I've found some webhostings/eshops (e.g. wesped.com, alyasoft.net). One domain had improper (but not self-signed) certs that might be considered "high value" (centerstatebank.com), though now it seems to have proper cert. > Does this mean you can scan 1.5M+ hostnames in less than 24h? You don't > conduct full SSL handshakes then, correct? Correct. The scanner only waits for the TLS Handshake Record with certificates. Time taken by the scan depends a lot on the scanner location, one finishes consistently within 4-5 hours, the other between 11-13 hours (in 100 threads). > Which DB back-end do you use? If it's postgres, I'd be happy to feed it > into our DB, too, and see what we have. It's postgres. Ondrej
