from:"Tavis Ormandy via dev\-security\-policy"

Re: Unknown Intermediates

2017-06-22 Thread Tavis Ormandy via dev-security-policy

I think you're right, it was probably me submitting my corpus - I hope
that's a good thing! :-)

I only submitted the ones I could verify, would you be interested in the
others? Many are clearly not interesting, but others seem like they may be
interesting if I had an intermediate I haven't seen.

Tavis.

On Thu, Jun 22, 2017 at 6:15 AM, Alex Gaynor <agay...@mozilla.com> wrote:

> One of my hobbies is keeping track of publicly trusted (by any of the
> major root programs) CAs, for which there are no logged certificates.
> There's over 1000 of these. In the last day, presumably as a result of
> these efforts, 50-100 CAs were removed from the list.
>
> Cheers,
> Alex
>
> On Thu, Jun 22, 2017 at 5:51 AM, Rob Stradling <rob.stradl...@comodo.com>
> wrote:
>
>> On 19/06/17 20:41, Tavis Ormandy via dev-security-policy wrote:
>>
>>> Thanks Alex, I took a look, it looks like the check pings crt.sh - is
>>> doing
>>> that for a large number of certificates acceptable Rob?
>>>
>>
>> Hi Tavis.  Yes, Alex's tool uses https://crt.sh/gen-add-chain to find a
>> suitable cert chain and build the JSON that can then be submitted to a
>> log's /ct/v1/add-chain.  It should be fine to do that for a large number of
>> certs.  crt.sh exists to be used.  ;-)
>>
>> I made a smaller set, the certificates that have 'SSL server: Yes' or 'Any
>>> Purpose : Yes', there were only a few thousand that verified, so I just
>>> checked those and found 551 not in crt.sh.
>>>
>>> (The *vast* majority are code signing certificates, many are individual
>>> apple developer certificates)
>>>
>>> Is this useful? if not, what key usage is interesting?
>>>
>>> https://lock.cmpxchg8b.com/ServerOrAny.zip
>>>
>>
>> Thanks for this, Tavis.  I pointed my certscraper (
>> https://github.com/robstradling/certscraper) at this URL a couple of
>> days ago.  This submitted many of the certs to the Dodo and Rocketeer logs.
>>
>> However, it didn't manage to build chains for all of them.  I haven't yet
>> had a chance to investigate why.
>>
>>
>> Tavis.
>>>
>>> On Mon, Jun 19, 2017 at 7:03 AM, Alex Gaynor <agay...@mozilla.com>
>>> wrote:
>>>
>>> If you're interested in playing around with submitting them yourself, or
>>>> checking if they're already submitted, I've got some random tools for
>>>> working with CT: https://github.com/alex/ct-tools
>>>>
>>>> Specifically ct-tools check <cert1.pem, cert2.pem, ...> will get what
>>>> you
>>>> want. It's all serial, so for 8M certs you probably want to Bring Your
>>>> Own
>>>> Parallelism (I should fix this...)
>>>>
>>>> Alex
>>>>
>>>> On Mon, Jun 19, 2017 at 6:51 AM, Rob Stradling via dev-security-policy <
>>>> dev-security-policy@lists.mozilla.org> wrote:
>>>>
>>>> On 16/06/17 20:11, Andrew Ayer via dev-security-policy wrote:
>>>>>
>>>>> On Fri, 16 Jun 2017 10:29:45 -0700 Tavis Ormandy wrote:
>>>>>>
>>>>>> 
>>>>>
>>>>> Is there an easy way to check which certificates from my set you're
>>>>>>
>>>>>>> missing? (I'm not a PKI guy, I was collecting unusual extension OIDs
>>>>>>> for fuzzing).
>>>>>>>
>>>>>>> I collected these from public sources, so can just give you my whole
>>>>>>> set if you already have tools for importing them and don't mind
>>>>>>> processing them, I have around ~8M (mostly leaf) certificates, the
>>>>>>> set with isCa will be much smaller.
>>>>>>>
>>>>>>>
>>>>>> Please do post the whole set.  I suspect there are several people on
>>>>>> this list (including myself and Rob) who have the tools and experience
>>>>>> to process large sets of certificates and post them to public
>>>>>> Certificate Transparency logs (whence they will be fed into crt.sh).
>>>>>>
>>>>>> It would be useful to include the leaf certificates as well, to catch
>>>>>> CAs which are engaging in bad practices such as signing non-SSL certs
>>>>>> with SHA-1 under an intermediate that is capable of issuing SSL
>>>>>> certificates.
>>>>>>
>>>>>> Thanks a bunch for this!
>>>>>>
>>>>>>
>>>>> +1
>>>>>
>>>>> Tavis, please do post the whole set.  And thanks!
>>>>>
>>>>
>> --
>> Rob Stradling
>> Senior Research & Development Scientist
>> COMODO - Creating Trust Online
>>
>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Unknown Intermediates

2017-06-21 Thread Tavis Ormandy via dev-security-policy

FYI, I'm submitting these right now, it seems to be working, here's an
example

https://crt.sh/?q=1eb6ec6e6c45663f3bb1b2f140961bbf3352fc8741ef835146d3a8a2616ee28f

Tavis.

On Mon, Jun 19, 2017 at 12:56 PM, Tavis Ormandy  wrote:

> I noticed there's an apparently valid facebook.com certificate in there (
> 61b1526f9d75775c3d533382f36527c9.pem). This is surprising to me, that
> seems like it would be in CT already - so maybe I don't know what I'm doing.
>
> Let me know if I've misunderstood something.
>
> Tavis.
>
>
> On Mon, Jun 19, 2017 at 12:41 PM, Tavis Ormandy  wrote:
>
>> Thanks Alex, I took a look, it looks like the check pings crt.sh - is
>> doing that for a large number of certificates acceptable Rob?
>>
>> I made a smaller set, the certificates that have 'SSL server: Yes' or
>> 'Any Purpose : Yes', there were only a few thousand that verified, so I
>> just checked those and found 551 not in crt.sh.
>>
>> (The *vast* majority are code signing certificates, many are individual
>> apple developer certificates)
>>
>> Is this useful? if not, what key usage is interesting?
>>
>> https://lock.cmpxchg8b.com/ServerOrAny.zip
>>
>> Tavis.
>>
>> On Mon, Jun 19, 2017 at 7:03 AM, Alex Gaynor  wrote:
>>
>>> If you're interested in playing around with submitting them yourself, or
>>> checking if they're already submitted, I've got some random tools for
>>> working with CT: https://github.com/alex/ct-tools
>>>
>>> Specifically ct-tools check  will get what
>>> you want. It's all serial, so for 8M certs you probably want to Bring Your
>>> Own Parallelism (I should fix this...)
>>>
>>> Alex
>>>
>>> On Mon, Jun 19, 2017 at 6:51 AM, Rob Stradling via dev-security-policy <
>>> dev-security-policy@lists.mozilla.org> wrote:
>>>
 On 16/06/17 20:11, Andrew Ayer via dev-security-policy wrote:

> On Fri, 16 Jun 2017 10:29:45 -0700 Tavis Ormandy wrote:
>
 

> Is there an easy way to check which certificates from my set you're
>> missing? (I'm not a PKI guy, I was collecting unusual extension OIDs
>> for fuzzing).
>>
>> I collected these from public sources, so can just give you my whole
>> set if you already have tools for importing them and don't mind
>> processing them, I have around ~8M (mostly leaf) certificates, the
>> set with isCa will be much smaller.
>>
>
> Please do post the whole set.  I suspect there are several people on
> this list (including myself and Rob) who have the tools and experience
> to process large sets of certificates and post them to public
> Certificate Transparency logs (whence they will be fed into crt.sh).
>
> It would be useful to include the leaf certificates as well, to catch
> CAs which are engaging in bad practices such as signing non-SSL certs
> with SHA-1 under an intermediate that is capable of issuing SSL
> certificates.
>
> Thanks a bunch for this!
>

 +1

 Tavis, please do post the whole set.  And thanks!

 --
 Rob Stradling
 Senior Research & Development Scientist
 COMODO - Creating Trust Online
 ___
 dev-security-policy mailing list
 dev-security-policy@lists.mozilla.org
 https://lists.mozilla.org/listinfo/dev-security-policy

>>>
>>>
>>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Unknown Intermediates

2017-06-19 Thread Tavis Ormandy via dev-security-policy

I noticed there's an apparently valid facebook.com certificate in there
(61b1526f9d75775c3d533382f36527c9.pem). This is surprising to me, that
seems like it would be in CT already - so maybe I don't know what I'm doing.

Let me know if I've misunderstood something.

Tavis.

On Mon, Jun 19, 2017 at 12:41 PM, Tavis Ormandy  wrote:

> Thanks Alex, I took a look, it looks like the check pings crt.sh - is
> doing that for a large number of certificates acceptable Rob?
>
> I made a smaller set, the certificates that have 'SSL server: Yes' or 'Any
> Purpose : Yes', there were only a few thousand that verified, so I just
> checked those and found 551 not in crt.sh.
>
> (The *vast* majority are code signing certificates, many are individual
> apple developer certificates)
>
> Is this useful? if not, what key usage is interesting?
>
> https://lock.cmpxchg8b.com/ServerOrAny.zip
>
> Tavis.
>
> On Mon, Jun 19, 2017 at 7:03 AM, Alex Gaynor  wrote:
>
>> If you're interested in playing around with submitting them yourself, or
>> checking if they're already submitted, I've got some random tools for
>> working with CT: https://github.com/alex/ct-tools
>>
>> Specifically ct-tools check  will get what you
>> want. It's all serial, so for 8M certs you probably want to Bring Your Own
>> Parallelism (I should fix this...)
>>
>> Alex
>>
>> On Mon, Jun 19, 2017 at 6:51 AM, Rob Stradling via dev-security-policy <
>> dev-security-policy@lists.mozilla.org> wrote:
>>
>>> On 16/06/17 20:11, Andrew Ayer via dev-security-policy wrote:
>>>
 On Fri, 16 Jun 2017 10:29:45 -0700 Tavis Ormandy wrote:

>>> 
>>>
 Is there an easy way to check which certificates from my set you're
> missing? (I'm not a PKI guy, I was collecting unusual extension OIDs
> for fuzzing).
>
> I collected these from public sources, so can just give you my whole
> set if you already have tools for importing them and don't mind
> processing them, I have around ~8M (mostly leaf) certificates, the
> set with isCa will be much smaller.
>

 Please do post the whole set.  I suspect there are several people on
 this list (including myself and Rob) who have the tools and experience
 to process large sets of certificates and post them to public
 Certificate Transparency logs (whence they will be fed into crt.sh).

 It would be useful to include the leaf certificates as well, to catch
 CAs which are engaging in bad practices such as signing non-SSL certs
 with SHA-1 under an intermediate that is capable of issuing SSL
 certificates.

 Thanks a bunch for this!

>>>
>>> +1
>>>
>>> Tavis, please do post the whole set.  And thanks!
>>>
>>> --
>>> Rob Stradling
>>> Senior Research & Development Scientist
>>> COMODO - Creating Trust Online
>>> ___
>>> dev-security-policy mailing list
>>> dev-security-policy@lists.mozilla.org
>>> https://lists.mozilla.org/listinfo/dev-security-policy
>>>
>>
>>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Unknown Intermediates

2017-06-19 Thread Tavis Ormandy via dev-security-policy

Thanks Alex, I took a look, it looks like the check pings crt.sh - is doing
that for a large number of certificates acceptable Rob?

I made a smaller set, the certificates that have 'SSL server: Yes' or 'Any
Purpose : Yes', there were only a few thousand that verified, so I just
checked those and found 551 not in crt.sh.

(The *vast* majority are code signing certificates, many are individual
apple developer certificates)

Is this useful? if not, what key usage is interesting?

https://lock.cmpxchg8b.com/ServerOrAny.zip

Tavis.

On Mon, Jun 19, 2017 at 7:03 AM, Alex Gaynor  wrote:

> If you're interested in playing around with submitting them yourself, or
> checking if they're already submitted, I've got some random tools for
> working with CT: https://github.com/alex/ct-tools
>
> Specifically ct-tools check  will get what you
> want. It's all serial, so for 8M certs you probably want to Bring Your Own
> Parallelism (I should fix this...)
>
> Alex
>
> On Mon, Jun 19, 2017 at 6:51 AM, Rob Stradling via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> On 16/06/17 20:11, Andrew Ayer via dev-security-policy wrote:
>>
>>> On Fri, 16 Jun 2017 10:29:45 -0700 Tavis Ormandy wrote:
>>>
>> 
>>
>>> Is there an easy way to check which certificates from my set you're
 missing? (I'm not a PKI guy, I was collecting unusual extension OIDs
 for fuzzing).

 I collected these from public sources, so can just give you my whole
 set if you already have tools for importing them and don't mind
 processing them, I have around ~8M (mostly leaf) certificates, the
 set with isCa will be much smaller.

>>>
>>> Please do post the whole set.  I suspect there are several people on
>>> this list (including myself and Rob) who have the tools and experience
>>> to process large sets of certificates and post them to public
>>> Certificate Transparency logs (whence they will be fed into crt.sh).
>>>
>>> It would be useful to include the leaf certificates as well, to catch
>>> CAs which are engaging in bad practices such as signing non-SSL certs
>>> with SHA-1 under an intermediate that is capable of issuing SSL
>>> certificates.
>>>
>>> Thanks a bunch for this!
>>>
>>
>> +1
>>
>> Tavis, please do post the whole set.  And thanks!
>>
>> --
>> Rob Stradling
>> Senior Research & Development Scientist
>> COMODO - Creating Trust Online
>> ___
>> dev-security-policy mailing list
>> dev-security-policy@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-security-policy
>>
>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Unknown Intermediates

2017-06-16 Thread Tavis Ormandy via dev-security-policy

On Fri, Jun 16, 2017 at 2:00 AM, Rob Stradling <rob.stradl...@comodo.com>
wrote:

> On 16/06/17 06:05, Tavis Ormandy via dev-security-policy wrote:
>
>> Hello, I was crawling the pkcs7 blobs in public pdf files and found some
>> intermediate certificates that don't appear in crt.sh.
>>
>> I forwarded them to Rob, I don't know if this is useful to anyone else,
>> but
>> they're available here.
>>
>> https://lock.cmpxchg8b.com/intermediates.zip
>>
>> Tavis.
>>
>
> Thanks Tavis.  I've just submitted all of these intermediates to some CT
> logs.
>
> This list just grew considerably...
> https://crt.sh/mozilla-disclosures#undisclosed
>
> (I have a larger collection if anyone wants them, but many have unknown
>> critical extensions, or are name or usage constrained, etc)
>>
>
> Yes please.  :-)
>
>
Is there an easy way to check which certificates from my set you're
missing? (I'm not a PKI guy, I was collecting unusual extension OIDs for
fuzzing).

I collected these from public sources, so can just give you my whole set if
you already have tools for importing them and don't mind processing them, I
have around ~8M (mostly leaf) certificates, the set with isCa will be much
smaller.

Tavis.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Unknown Intermediates

2017-06-15 Thread Tavis Ormandy via dev-security-policy

Hello, I was crawling the pkcs7 blobs in public pdf files and found some
intermediate certificates that don't appear in crt.sh.

I forwarded them to Rob, I don't know if this is useful to anyone else, but
they're available here.

https://lock.cmpxchg8b.com/intermediates.zip

Tavis.

(I have a larger collection if anyone wants them, but many have unknown
critical extensions, or are name or usage constrained, etc)
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Unknown Intermediates

Re: Unknown Intermediates

Re: Unknown Intermediates

Re: Unknown Intermediates

Re: Unknown Intermediates

Unknown Intermediates

6 matches

Site Navigation

Mail list logo

Footer information