Warn on a certificate that chain to Symantec roots #298
Comments
|
Another way to handle this is by blacklist of the actual end entity certificates. I believe Sleevi is producing one, so could just do a lookup of those, as we have a complete list. |
|
If a cert has two paths, and only one goes through a distrusted root, what should the result of the analysis be? |
|
A browser would, assuming removal of the Symantec intermediary, treat that
as a trusted certificate if the second path is otherwise trusted.
Are unexpired certificates with two paths, one distrusted, prevalent in the
wild?
…On Sat, Feb 24, 2018 at 06:51 Julien Vehent [:ulfr] < ***@***.***> wrote:
If a cert has two paths, and only one goes through a distrusted root, what
should the result of the analysis be?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#298 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAFqDJv-ILIeDLIXkoOKcCYd_IHH5eBFks5tYCHsgaJpZM4SQ9Hm>
.
|
|
This has been implemented in #299 and is currently running in production. |
|
for archiving, the sql queries that produce the report: SELECT COUNT(DISTINCT(target)) AS "Sample size"
FROM scans
INNER JOIN analysis ON (scans.id=analysis.scan_id)
INNER JOIN certificates ON (scans.cert_id=certificates.id)
WHERE has_tls=true
AND worker_name='symantecDistrust'
AND timestamp > '2018-05-16 08:00:00';
SELECT COUNT(DISTINCT(target)) AS "Distrusted in 60"
FROM scans
INNER JOIN analysis ON (scans.id=analysis.scan_id)
INNER JOIN certificates ON (scans.cert_id=certificates.id)
WHERE has_tls=true
AND worker_name='symantecDistrust'
AND timestamp > '2018-05-16 08:00:00'
AND not_valid_before < '2016-06-01'
AND CAST(output->>'isDistrusted' AS BOOLEAN) = true;
SELECT COUNT(DISTINCT(target)) AS "Distrusted in 60 but expire before release"
FROM scans
INNER JOIN analysis ON (scans.id=analysis.scan_id)
INNER JOIN certificates ON (scans.cert_id=certificates.id)
WHERE has_tls=true
AND worker_name='symantecDistrust'
AND timestamp > '2018-05-16 08:00:00'
AND not_valid_before < '2016-06-01' AND not_valid_after < '2018-05-09'
AND CAST(output->>'isDistrusted' AS BOOLEAN) = true;
SELECT COUNT(DISTINCT(target)) AS "Distrusted in 63"
FROM scans
INNER JOIN analysis ON (scans.id=analysis.scan_id)
INNER JOIN certificates ON (scans.cert_id=certificates.id)
WHERE has_tls=true
AND worker_name='symantecDistrust'
AND timestamp > '2018-05-16 08:00:00'
AND CAST(output->>'isDistrusted' AS BOOLEAN) = true;
SELECT COUNT(DISTINCT(target)) AS "Distrusted in 63 but expire before release"
FROM scans
INNER JOIN analysis ON (scans.id=analysis.scan_id)
INNER JOIN certificates ON (scans.cert_id=certificates.id)
WHERE has_tls=true
AND worker_name='symantecDistrust'
AND timestamp > '2018-05-16 08:00:00' AND not_valid_after < '2018-10-16'
AND CAST(output->>'isDistrusted' AS BOOLEAN) = true;
SELECT COUNT(DISTINCT(target)) AS "Sites impacted after 63 release if current cert is maintained"
FROM scans
INNER JOIN analysis ON (scans.id=analysis.scan_id)
INNER JOIN certificates ON (scans.cert_id=certificates.id)
WHERE has_tls=true
AND worker_name='symantecDistrust'
AND timestamp > '2018-05-16 08:00:00' AND not_valid_after > '2018-10-16'
AND CAST(output->>'isDistrusted' AS BOOLEAN) = true; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Trust paths which anchor to Symantec roots in this list are generally distrusted in Firefox 60 (based on a
notBeforecheck) or Firefox 63 (nonotBeforecheck). There's also a whitelist of some intermediates' SPKIs from Apple, Google, and DigiCert.It would be nice to provide a warning and a link to the Upcoming_Distrust_Actions wiki either:
The
notBeforecheck seems unnecessary to duplicate, as all of these certs need to change.The text was updated successfully, but these errors were encountered: