[HTTPS-E Rulesets] Update The Pirate Bay ruleset for new .is domain
Claudio Moretti
flyingstar16 at gmail.com
Fri Apr 26 02:58:55 PDT 2013
On Fri, Apr 26, 2013 at 2:28 AM, Seth David Schoen <schoen at eff.org> wrote:
> Their cert has been revoked. I applied your change but I set the ruleset
> to default_off.
>
Actually, I don't think it was revoked: I checked RapidSSL CRL, and there
is no reference of revocation.
Their cert applies only to 'thepiratebay.se' and '*.thepiratebay.se', and
it's still valid, but it does not apply to the .is domains:
=============================================================
claudio at Chuck:~$ openssl x509 -text -noout -in thepiratebay.se
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 679856 (0xa5fb0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust, Inc., CN=RapidSSL CA
Validity
Not Before: Feb 1 09:47:57 2013 GMT
*Not After : Mar 5 10:48:42 2015 GMT*
Subject: serialNumber=J-GVhJQ0WETxE/K-rE-cGY-SuA8zZ0Tn,
OU=GT00316361, OU=See www.rapidssl.com/resources/cps (c)13, OU=Domain
Control Validated - RapidSSL(R), *CN=*.thepiratebay.se*
[snip]
X509v3 Subject Alternative Name:
*DNS:*.thepiratebay.se, DNS:thepiratebay.se*
X509v3 CRL Distribution Points:
Full Name:
URI:http://rapidssl-crl.geotrust.com/crls/rapidssl.crl
X509v3 Subject Key Identifier:
8B:58:51:70:2E:57:60:BE:70:BE:46:C8:47:2E:D7:57:A2:40:1C:47
[etc]
=============================================================
And the serial numbers revoked in the CRL do not contain *'679856'* which
is the SN of this cert (feel free to check, I'm attaching the DER CRL I
downloaded - openssl crl -in rapidssl.crl -inform DER -text -noout)
So, wouldn't it be better to revert to the previous rule, while the domain
is working?
I believe they'll upgrade their certificates as soon as possible, but I
think that while the .se domains are working, a functioning HTTPS
connection is better than preparing for the next domain change... (maybe,
excluding the .is domain from the from rule may be a way to ensure that
when the .se domains are taken offline people can still visit TPB)
Cheers,
Claudio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/https-everywhere-rules/attachments/20130426/4de75bac/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rapidssl.crl
Type: application/octet-stream
Size: 1811 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/https-everywhere-rules/attachments/20130426/4de75bac/attachment.obj>
More information about the HTTPS-Everywhere-Rules
mailing list