[HTTPS-Everywhere] Distributed Observatory detecting "bad" certificates

Ondrej Mikle ondrej.mikle at nic.cz
Wed Oct 12 02:03:24 PDT 2011 

I've tried to use the Google Certificate Catalog for crosschecking my DB 
of collected certificates. Works fine for checking a few certificates. 
Though it's impractical for bulk-checking of millions of certs:

- the Google's DNS server seems to have rate-limiting in place and will 
stop responding after just few hundred queries
- when asking with DNSSEC in the bulk queries, I've ocassionally got bad 
DNSSEC signature (not sure whether that's some implementation quirk or 
something on the wire got mixed up)
- freshness: no one except Google knows when a site scan is going to be 
updated. I've got quite a bunch of certs the google catalog does not 
know about (e.g. try looking up cert for host 'mail2.gnh.no' which has 
currently SHA1 hash 3f84cbf0d4e1d10a3c7fff835290e77fa23bc14f)

I also wrote to Ben Laurie if it would be possible to have the 
certificate catalog for download, which would be helpful for SSL 
Observatory.

Convergence also has optional Google Certificate Catalog verifier, but 
I'm not sure if any Convergence notary is actually using it.

Regards,
   Ondrej Mikle

On 10/12/2011 09:02 AM, Maxim Nazarenko wrote:
> Good morning,
>
> While googling DANE I found this blog entry:
> http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-security.html
> . Looks like almost like SSL Observatory to me. Is it possible to use
> this Google DB somehow?
>
> Best regards,
> Maxim Nazarenko
>
> On 12 October 2011 01:31, Ondrej Mikle<ondrej.mikle at nic.cz>  wrote:
>> Hello,
>>
>> I'd like to ask about (planned) feature of HTTPS Everywhere described here for
>> some time:
>>
>> https://trac.torproject.org/projects/tor/wiki/doc/HTTPSEverywhere/SSLObservatorySubmission
>>
>> It mentions that it should be able at some point "lets us warn you about
>> insecure connections or attacks on your browser". The DB schema outlined in the
>> torproject page contains fields like 'known_bad' or 'bad_cert_id'.
>>
>> Though I haven't found a mention how the "bad" certificates are supposed to be
>> detected. I haven't seen any mention in any document or the mailinglist how it's
>> supposed to be implemented.

More information about the HTTPS-everywhere mailing list