[SSL Observatory] Fresh observatory data ? Survey other ports/protocols ?

Brian Smith bsmith at mozilla.com
Sat Apr 30 14:16:09 PDT 2011


Andy Isaacson wrote:
> I think the glue is simple enough that abstracting it would be more
> work than benefit. The biggest benefit to testing NSS's certificate
> parsing, to me, is that we learn about corner cases where the
> different parsers give different results, and abstract interfaces
> will tend to obscure precisely those differences. :)
> 
> I'm looking forward to the first CA signed certificate to exploit a
> parser bug for NSS code execution. :)

Me too! :) Please contact us if you find one.

I am actually not so concerned about differences in parsing as much as differences in building and verifying the certificate chain. All browsers do it differently, and none of us (AFAICT) the way explained in the TLS spec. The way we will build and validate the certificate chain in the future is even more complicated. Using openssl to to calculate the "is valid for Mozilla" column(s) of the tables will give misleading (incorrect) results.

Cheers,
Brian




More information about the Observatory mailing list