[SSL Observatory] CDN services
Ralph Holz
holz at net.in.tum.de
Mon Nov 7 08:41:42 PST 2011
Hi,
That looks like nice work... :-)
BTW, we have made some cursory scans of the same kind lately (for an
entirely different purpose, but still) and found the same kind of
phenomenon you describe:
> I've created a dataset covering CDN services (to see how common the "citibank
> effect" is). CDN service is defined as hostname serving certificates with
> overlapping time periods (i.e. cert A is seen, cert B is seen, then A again;
> mostly due to reverse NATs, fast-flux DNS, multiple IPs or misconfiguration).
Did you check to which IP addresses these resolve, and stored the IP
addresses? We did that for the last few of our scans, but I haven't
found the time yet to feed it into the DB.
> - self-signed certs popping up along with CA-issued ones seem rather common,
> sometimes it's just once, sometimes both coexist for long time (e.g.
> accessanywhere.net, webaccess.gtbankuk.com)
Interesting. Self-signed certs did not appear on "high-value" domains in
our samples. But that doesn't have to mean anything, of course, we
haven't tried that many.
> Final notes:
> - scanning was done daily between 2011-09-23 and 2011-11-04 on 1.5M+ hostnames
Does this mean you can scan 1.5M+ hostnames in less than 24h? You don't
conduct full SSL handshakes then, correct?
> http://constructibleuniverse.net/CDN/CDN_unfiltered.csv)
Which DB back-end do you use? If it's postgres, I'd be happy to feed it
into our DB, too, and see what we have.
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111107/a76d201a/attachment.sig>
More information about the Observatory
mailing list