Re: Removal of 1024 bit roots - Thawte and GTE CyberTrust

Tue, 02 Sep 2014 13:45:28 -0700 

On 9/2/14, 10:53 AM, Hubert Kario wrote:

I've finally found some time to analyse the data from last months scan
to see what happens when additional roots are removed[1,2].

The scan took place between 11th and 19th of July 2014.
Sites scanned are taken from Alexa top 1 million sites as of 11th of July.




Hubert, Thank you for doing this analysis and sharing your findings.




Removing the Thawte 1024 bit roots[1] causes following changes:

Untrusted: +33 sites.
Incomplete chain: +153, -2 sites.
Complete chain: -184 sites.

Sites that become untrusted:
aclens.com@199.242.144.30
brillenplatz.de@83.141.56.30
copagloja.com.br@54.225.100.66
cqccms.com.cn@124.207.135.23
datatilsynet.no@80.232.122.99
drewag.de@77.75.249.212
easy-forex.com@64.14.56.6
fachverlag-computerwissen.de@78.111.65.215
foreverwedstore.com@208.77.51.191
gold-super-markt.de@94.186.152.196
gold-to-go.com@94.186.152.196
golf.de@194.97.154.131
gumball3000.com@134.0.19.106
jokerit.com@89.250.52.17
loytec.com@88.198.4.4
madeindesign.de@194.213.124.118
meventi.com@78.47.246.235
motor-talk.de@94.198.62.121
nct.ie@193.120.166.32
ncts.ie@193.120.166.32
now.cn@119.146.222.146
pctonline.com@66.181.99.28
recyclingtoday.com@66.181.99.26
santander.be@212.78.166.49
showoffimports.nl@91.216.34.51
slotastic.com@54.204.19.24
tcd.ie@134.226.14.90
todaynic.com@119.146.222.146
whitireia.ac.nz@202.2.11.59
www.cqccms.com.cn@125.35.1.213
www.now.cn@119.146.222.153
www.todaynic.com@119.146.222.153
www.uri.edu@131.128.1.19
Looks like those SSL certs are 5 year certs that were issued in 2010, so those site administrators will be needing to update their certs within the next year.
The change is currently targeted for Firefox 35 (early January). That gives Thawte/Symantec time to contact these customers, and get their certs updated. 




Removal of the GTE root has bigger impact:

complete -86
incomplete +17, -8
untrusted +77

since the list is so large I won't be quoting it here.


Would you please attach the list to the bug?

Thanks,
Kathleen


_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to