On Tue, Jun 09, 2015 at 08:26:55AM -0500, Peter Kurrasch wrote:
> 1) How to exclude domains from the search? For example I want to find
> gmail certs but exclude something like "eggmail" which could be a false
> positive.
Constrain your search to "domains which have a name part which is exactly
'gmail'".
> 2) How to address wild cards? For example can I bypass these detection
> tools by issuing a cert for "*[dot]innocentdomain[dot]com" instead of
> "gmail[dot]innocentdomain[dot]com"?
Fun times.
> 3) How frequently might such tools run? Or to put it differently, how much
> time do I probably have between when I issue a gmail cert and when someone
> figures it out (and of course how much longer before my illegitimate cert
> is no longer valid)? I need only 24 hours to do all the damage I want,
> but in a pinch I'll make do with 8.
How frequently does the consumer of such services *want* the tool to run?
> 4) What's the expected model for a third-party monitor? Who might the
> organizations be and how might the monitoring be funded?
People give the monitor money. The monitor protects their interests.
> In a way the SSL Labs service is a perfect example of the limitations of a
> monitoring service. Their SSL Pulse found an awful lot of servers with
> a failing grade.
Luckily, CT doesn't aim to fix every Goober-with-Apache; it's main benefit
is in providing sunshine on CA operations, and making it easier to provide
complete evidence of malfeasance or incompetence.
- Matt
--
My favourite was some time ago, and involved a female customer thanking "Mr.
Daemon" for his effort trying to deliver her mail, and offering him a "good
time" if he ever visited Sydney.
-- Matt McLeod
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
