Andrew Ayer
Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
Posts
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
There are other tools that do deep vulnerability scanning (e.g. Trivy), but they don't use govulncheck so they're overrun with false positives.
https://github.com/AGWA/deepscan
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
Spoiler: it's bad.
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
https://www.agwa.name/blog/post/cas_are_issuing_broken_certificates_again
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
If you got a certificate from any of these CAs in the last few days, you should test your site using SSLMate's CT Policy Analyzer: https://sslmate.com/labs/ct_policy_analyzer/
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
There's really no excuse for this, as Apple and Chrome publish simple JSON files specifying exactly what logs a CA should be using!
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
AFAICT, the first person to notice any of this was Hacker News user JXzVB0iA, two days ago: https://news.ycombinator.com/item?id=45089708
This morning, it was reported to the certificate-transparency mailing list, with attribution to JXzVB0iA.
A few hours later, it was reported to the mozilla-dev-security-policy mailing list, without attribution.
Then Dan Goodin wrote his article, citing the mozilla-dev-security-policy post.
Very surprising that Cloudflare did not notice given they operate a CT monitor.
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
@agwa@agwa.name Bootstrapped founder of SSLMate (https://sslmate.com) and DNS Helper (https://www.dnshelper.com). Making SSL certificates and DNS records easier. #WebPKI and #CertificateTransparency research on the side.
(h/t Hacker News user JXzVB0iA)