Did you submit the ~25K unexpired unlogged certs to CT? On Sat, Mar 31, 2018 at 6:14 PM, Tim Smith via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Hi MDSP, > > I went looking for corpuses of certificates that may not have been > previously logged to CT and found some in the Rapid7 "More SSL" dataset, > which captures certificates from their scans of non-HTTPS ports for > TLS-speaking services. > > I wrote up some findings at > http://blog.tim-smith.us/2018/03/moressl-spelunking/. > > A few highlights include: > - of the ~10 million certificates in the corpus, about 20% had valid > signatures and chained to roots included in the Mozilla trust store > - about 50,000 of the 2 million trusted certificates had not previously > been logged > - about half of the novel certificates were unexpired > > There were interesting examples of unexpired, non-compliant, trusted > certificates chaining to issuers including GoDaddy, NetLock, Logius, and > Entrust. (I have not taken any action to inform issuers of these findings, > other than this message and by publishing the certificates to CT logs.) > > I welcome any feedback or questions about the value of the approach and the > findings. > > Thanks, > Tim > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
