On Tue, Jun 09, 2015 at 08:26:55AM -0500, Peter Kurrasch wrote: > 1) How to exclude domains from the search? For example I want to find > gmail certs but exclude something like "eggmail" which could be a false > positive.
Constrain your search to "domains which have a name part which is exactly 'gmail'". > 2) How to address wild cards? For example can I bypass these detection > tools by issuing a cert for "*[dot]innocentdomain[dot]com" instead of > "gmail[dot]innocentdomain[dot]com"? Fun times. > 3) How frequently might such tools run? Or to put it differently, how much > time do I probably have between when I issue a gmail cert and when someone > figures it out (and of course how much longer before my illegitimate cert > is no longer valid)? I need only 24 hours to do all the damage I want, > but in a pinch I'll make do with 8. How frequently does the consumer of such services *want* the tool to run? > 4) What's the expected model for a third-party monitor? Who might the > organizations be and how might the monitoring be funded? People give the monitor money. The monitor protects their interests. > In a way the SSL Labs service is a perfect example of the limitations of a > monitoring service. Their SSL Pulse found an awful lot of servers with > a failing grade. Luckily, CT doesn't aim to fix every Goober-with-Apache; it's main benefit is in providing sunshine on CA operations, and making it easier to provide complete evidence of malfeasance or incompetence. - Matt -- My favourite was some time ago, and involved a female customer thanking "Mr. Daemon" for his effort trying to deliver her mail, and offering him a "good time" if he ever visited Sydney. -- Matt McLeod _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy