On 23/09/2016 17:18, Rob Stradling wrote:
On 22/09/16 18:48, Jakob Bohm wrote:
<snip>
While you are at it:
1. How many WoSign/StartCom certificates did you find with domains not
on that IANA list?
Hi Jakob. I wasn't looking for this sort of thing, because Gerv was
only interested in "unique base domains (PSL+1)".
However for the relevant technique to be workable, it would have to
include "unique base domains" outside the IANA root (such as base
domains under alternative DNS roots). Algorithmically, any DNS name
found in certificates but not on the IANA suffix list should be treated
generically (e.g. assume only last component is a public suffix, or
assume any 1 to 3 letter 2. level domain is also a public suffix).
I think there were ~200 internationalized domain names amongst the certs
issued by StartCom, of which about half have internationalized TLDs. I
ignored all of these, on the assumption that the Punycode representation
of each would also be in the cert.
BTW, I also found certs containing the following public suffixes (i.e.,
PSL+0), some of which may be of interest:
WoSign:
cloudapp.net
github.io
qa2.com
kuzbass.ru
StartCom:
astrakhan.ru
chirurgiens-dentistes-en-france.fr
(and *.chirurgiens-dentistes-en-france.fr)
chita.ru
(and *.chita.ru)
duckdns.org
goip.de
gouv.ci
gov.sc
ivanovo.ru
karelia.ru
lipetsk.ru
logoip.com
logoip.de
net.tj
nsupdate.info
realm.cz
sandcats.io
tsk.ru
uem.mz
2. How many WoSign/StartCom certificates did you find for other uses
than https://www.example.tld:
2.1 Certificates for "odd" subdomains such as "extranet.example.com"
How do you algorithmically determine "odd" ?
Anything your script would otherwise throw away as not matching its
assumptions.
2.2 Certificates for e-mail
2.3 Code signing certificates
2.4 Others?
I only looked for CNs, dNSNames and iPAddresses. Are these other types
of cert of particular interest for some reason?
As I said elsewhere:
2.2: Mozilla also makes an e-mail client (Thunderbird) which uses the
same CA root list and the same NSS security library to check e-mail
certificates. E-mail trust bits are still part of the Mozilla CA root
database.
2.3: Some non-Mozilla projects still use the Mozilla CA root list to
check code and document signatures, because the Mozilla CA root program
is the only major CA root program run in an open source fashion. Thus
the discussions on this mailing list would tend to inform the
maintainers of some of those projects regarding their setting of code
signing trust bits.
2.4: If the CT logs reveal any kind of certificate I did not ask about,
that would indicate that those things exist and have some relevance.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
