Re: Discovering unlogged certificates in internet-wide scans

Hi Stephen, Thank you for the correction; I regret the error. On Tue, Apr 10, 2018 at 8:12 AM Stephen Davidson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > These certificates are compliant with the BR and contain the required > extKeyUsage values for both

RE: Discovering unlogged certificates in internet-wide scans

Hello, Many thanks for the research - this CT analysis is both fascinating and useful. I'd like to address the following statement: "Noncompliance already visible from previously logged certificates. The HydrantID SSL ICA G2 CA is trusted by Mozilla (via QuoVadis) for TLS

Re: Discovering unlogged certificates in internet-wide scans

As an FYI only: We did review the one cert cited below for term length. The certificate was issued in 2013 before the current max term duration was defined. This cert is grandfathered in and does not require revocation. In May of this year it expires. regards, Daymion On Sunday, April 1,

Re: Discovering unlogged certificates in internet-wide scans

Did you submit the ~25K unexpired unlogged certs to CT? On Sat, Mar 31, 2018 at 6:14 PM, Tim Smith via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi MDSP, > > I went looking for corpuses of certificates that may not have been > previously logged to CT and found some in

Re: Discovering unlogged certificates in internet-wide scans

On 03/31/2018 09:53 PM, Tim Smith wrote: > On Sat, Mar 31, 2018 at 6:28 PM, Michael Casadevall via > dev-security-policy wrote: > Thanks for taking a look. My understanding of Rapid7's methodology [1, > 2] is that they knock on well-known ports. The

Re: Discovering unlogged certificates in internet-wide scans

On Sat, Mar 31, 2018 at 6:28 PM, Michael Casadevall via dev-security-policy wrote: > Pretty interesting read, and always happy to see more information go > into CT. One thing I couldn't divine from your data was how did you look > for non-HTTPS services? Did

Re: Discovering unlogged certificates in internet-wide scans

On 03/31/2018 06:14 PM, Tim Smith via dev-security-policy wrote: > Hi MDSP, > > I went looking for corpuses of certificates that may not have been > previously logged to CT and found some in the Rapid7 "More SSL" dataset, > which captures certificates from their scans of non-HTTPS ports for >

Re: Discovering unlogged certificates in internet-wide scans

I'm currently grabbing certs from Censys's BigQuery extracts and submitting them to the Argon logs (and Daedalus/Rocketeer for certs that fall before/after Argon's not-after range). There's a fair bit of latency in the process; I'm only running this script weekly (it costs about $4 a pop in

Re: Discovering unlogged certificates in internet-wide scans

On Sat, Mar 31, 2018 at 3:26 PM, Kurt Roeckx wrote: > Have you done the for their other scans? I haven't. The Rapid7 HTTPS corpus is much larger; I'm not sure my approach will scale that far and I imagine the new discovery rate will be lower. Censys has been interested in

Re: Discovering unlogged certificates in internet-wide scans

On Sat, Mar 31, 2018 at 10:14:27PM +, Tim Smith via dev-security-policy wrote: > Hi MDSP, > > I went looking for corpuses of certificates that may not have been > previously logged to CT and found some in the Rapid7 "More SSL" dataset, > which captures certificates from their scans of