[SSL Observatory] Frequent cert issuers and an estimate for Sovereign Keys protocol alteration bound against DOS
Ondrej Mikle
ondrej.mikle at nic.cz
Sat Dec 3 22:37:01 PST 2011
Hi,
I've looked at hosts that send new certs frequently. That is to be distinguished
from 'CDN services' where a server farm sends a couple of certifictes depending
on DNS mapping or load balancer (thus observer sees cert A, then B, ..., then A).
An example of frequent issuer (i.e. observation timespans don't overlap, cert's
"not_before" roughly matches first observation time):
Sample 29 certs sent by single host in 71 days period:
http://constructibleuniverse.net/frequent_reissuers/frequent_reissuers.txt
The reason for frequent reissuing is probably that the above certs are used for
some webserver farm (as witnessed by many SANs). I guess each time a new FQDN is
added/removed from hosting, they issue new cert - ones I checked followed that
add/remove SAN/CN patter. Occasionally some get revoked, not sure what's their
criterium for revoking.
There are around 200 such hosts I know of that get new cert issued at least once
every 4 days, on average (all having the same issuing CA).
The issuing frequency might be a good lead for setting DOS-protection limit of
allowed protocol changes per time unit in Sovereign Keys implementation
(original draft had 5 changes per month, IIRC).
One additional consideration for "pinning cert protocols" (DANE, Sovereign Keys,
Auditable CAs, ...) is that such a frequent change must reflect fast to relying
clients. Shouldn't be really a problem, just a point to note.
--
On a side note: while concept of frequent reissuing of certs may not be flawed
per se, though I have a weird feeling about it. Given the number of hosts in CNs
and SANs, it might be easy for human reviewer to miss what is changed (or they
have just good tools to avoid that). Another possibility is that the process is
automated, only automated checks take effect. Any thoughts on how it actually
works? (Their CPS is in French, so couldn't read it).
Side note 2: is there any resolution how to handle multiple CNs in certificate's
Subject? Latest mention I found about multiple CNs was Dan Kaminsky's paper/talk
(2008?) - basically every TLS implementation does something else. Why are
multiple CNs present/allowed in the first place?
Thanks for bearing this far (sorry for my "compulsive writing" :-))
Ondrej
More information about the Observatory
mailing list