[HTTPS-E Rulesets] Update The Pirate Bay ruleset for new .is domain

Claudio Moretti flyingstar16 at gmail.com
Fri Apr 26 02:58:55 PDT 2013 

On Fri, Apr 26, 2013 at 2:28 AM, Seth David Schoen <schoen at eff.org> wrote:

> Their cert has been revoked.  I applied your change but I set the ruleset
> to default_off.
>

Actually, I don't think it was revoked: I checked RapidSSL CRL, and there
is no reference of revocation.

Their cert applies only to 'thepiratebay.se' and '*.thepiratebay.se', and
it's still valid, but it does not apply to the .is domains:

=============================================================
claudio at Chuck:~$ openssl x509 -text -noout -in thepiratebay.se
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 679856 (0xa5fb0)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=GeoTrust, Inc., CN=RapidSSL CA
        Validity
            Not Before: Feb  1 09:47:57 2013 GMT
            *Not After : Mar  5 10:48:42 2015 GMT*
        Subject: serialNumber=J-GVhJQ0WETxE/K-rE-cGY-SuA8zZ0Tn,
OU=GT00316361, OU=See www.rapidssl.com/resources/cps (c)13, OU=Domain
Control Validated - RapidSSL(R), *CN=*.thepiratebay.se*

[snip]
X509v3 Subject Alternative Name:
                *DNS:*.thepiratebay.se, DNS:thepiratebay.se*
X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://rapidssl-crl.geotrust.com/crls/rapidssl.crl

            X509v3 Subject Key Identifier:
                8B:58:51:70:2E:57:60:BE:70:BE:46:C8:47:2E:D7:57:A2:40:1C:47

[etc]

=============================================================

And the serial numbers revoked in the CRL do not contain *'679856'* which
is the SN of this cert (feel free to check, I'm attaching the DER CRL I
downloaded - openssl crl -in rapidssl.crl -inform DER -text -noout)

So, wouldn't it be better to revert to the previous rule, while the domain
is working?

I believe they'll upgrade their certificates as soon as possible, but I
think that while the .se domains are working, a functioning HTTPS
connection is better than preparing for the next domain change... (maybe,
excluding the .is domain from the from rule may be a way to ensure that
when the .se domains are taken offline people can still visit TPB)

Cheers,

Claudio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/https-everywhere-rules/attachments/20130426/4de75bac/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rapidssl.crl
Type: application/octet-stream
Size: 1811 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/https-everywhere-rules/attachments/20130426/4de75bac/attachment.obj>

More information about the HTTPS-Everywhere-Rules mailing list