-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warn on a certificate that chain to Symantec roots #298
Comments
Another way to handle this is by blacklist of the actual end entity certificates. I believe Sleevi is producing one, so could just do a lookup of those, as we have a complete list. |
If a cert has two paths, and only one goes through a distrusted root, what should the result of the analysis be? |
A browser would, assuming removal of the Symantec intermediary, treat that
as a trusted certificate if the second path is otherwise trusted.
Are unexpired certificates with two paths, one distrusted, prevalent in the
wild?
…On Sat, Feb 24, 2018 at 06:51 Julien Vehent [:ulfr] < ***@***.***> wrote:
If a cert has two paths, and only one goes through a distrusted root, what
should the result of the analysis be?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#298 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAFqDJv-ILIeDLIXkoOKcCYd_IHH5eBFks5tYCHsgaJpZM4SQ9Hm>
.
|
This has been implemented in #299 and is currently running in production. |
for archiving, the sql queries that produce the report: SELECT COUNT(DISTINCT(target)) AS "Sample size"
FROM scans
INNER JOIN analysis ON (scans.id=analysis.scan_id)
INNER JOIN certificates ON (scans.cert_id=certificates.id)
WHERE has_tls=true
AND worker_name='symantecDistrust'
AND timestamp > '2018-05-16 08:00:00';
SELECT COUNT(DISTINCT(target)) AS "Distrusted in 60"
FROM scans
INNER JOIN analysis ON (scans.id=analysis.scan_id)
INNER JOIN certificates ON (scans.cert_id=certificates.id)
WHERE has_tls=true
AND worker_name='symantecDistrust'
AND timestamp > '2018-05-16 08:00:00'
AND not_valid_before < '2016-06-01'
AND CAST(output->>'isDistrusted' AS BOOLEAN) = true;
SELECT COUNT(DISTINCT(target)) AS "Distrusted in 60 but expire before release"
FROM scans
INNER JOIN analysis ON (scans.id=analysis.scan_id)
INNER JOIN certificates ON (scans.cert_id=certificates.id)
WHERE has_tls=true
AND worker_name='symantecDistrust'
AND timestamp > '2018-05-16 08:00:00'
AND not_valid_before < '2016-06-01' AND not_valid_after < '2018-05-09'
AND CAST(output->>'isDistrusted' AS BOOLEAN) = true;
SELECT COUNT(DISTINCT(target)) AS "Distrusted in 63"
FROM scans
INNER JOIN analysis ON (scans.id=analysis.scan_id)
INNER JOIN certificates ON (scans.cert_id=certificates.id)
WHERE has_tls=true
AND worker_name='symantecDistrust'
AND timestamp > '2018-05-16 08:00:00'
AND CAST(output->>'isDistrusted' AS BOOLEAN) = true;
SELECT COUNT(DISTINCT(target)) AS "Distrusted in 63 but expire before release"
FROM scans
INNER JOIN analysis ON (scans.id=analysis.scan_id)
INNER JOIN certificates ON (scans.cert_id=certificates.id)
WHERE has_tls=true
AND worker_name='symantecDistrust'
AND timestamp > '2018-05-16 08:00:00' AND not_valid_after < '2018-10-16'
AND CAST(output->>'isDistrusted' AS BOOLEAN) = true;
SELECT COUNT(DISTINCT(target)) AS "Sites impacted after 63 release if current cert is maintained"
FROM scans
INNER JOIN analysis ON (scans.id=analysis.scan_id)
INNER JOIN certificates ON (scans.cert_id=certificates.id)
WHERE has_tls=true
AND worker_name='symantecDistrust'
AND timestamp > '2018-05-16 08:00:00' AND not_valid_after > '2018-10-16'
AND CAST(output->>'isDistrusted' AS BOOLEAN) = true; |
Trust paths which anchor to Symantec roots in this list are generally distrusted in Firefox 60 (based on a
notBefore
check) or Firefox 63 (nonotBefore
check). There's also a whitelist of some intermediates' SPKIs from Apple, Google, and DigiCert.It would be nice to provide a warning and a link to the Upcoming_Distrust_Actions wiki either:
The
notBefore
check seems unnecessary to duplicate, as all of these certs need to change.The text was updated successfully, but these errors were encountered: