Hi, That looks like nice work... :-)
BTW, we have made some cursory scans of the same kind lately (for an entirely different purpose, but still) and found the same kind of phenomenon you describe: > I've created a dataset covering CDN services (to see how common the "citibank > effect" is). CDN service is defined as hostname serving certificates with > overlapping time periods (i.e. cert A is seen, cert B is seen, then A again; > mostly due to reverse NATs, fast-flux DNS, multiple IPs or misconfiguration). Did you check to which IP addresses these resolve, and stored the IP addresses? We did that for the last few of our scans, but I haven't found the time yet to feed it into the DB. > - self-signed certs popping up along with CA-issued ones seem rather common, > sometimes it's just once, sometimes both coexist for long time (e.g. > accessanywhere.net, webaccess.gtbankuk.com) Interesting. Self-signed certs did not appear on "high-value" domains in our samples. But that doesn't have to mean anything, of course, we haven't tried that many. > Final notes: > - scanning was done daily between 2011-09-23 and 2011-11-04 on 1.5M+ hostnames Does this mean you can scan 1.5M+ hostnames in less than 24h? You don't conduct full SSL handshakes then, correct? > http://constructibleuniverse.net/CDN/CDN_unfiltered.csv) Which DB back-end do you use? If it's postgres, I'd be happy to feed it into our DB, too, and see what we have. Ralph -- Dipl.-Inform. Ralph Holz I8: Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
