[SSL Observatory] CDN services
Ondrej Mikle
ondrej.mikle at nic.cz
Tue Nov 8 05:48:23 PST 2011
On 11/07/2011 05:41 PM, Ralph Holz wrote:
> Did you check to which IP addresses these resolve, and stored the IP
> addresses? We did that for the last few of our scans, but I haven't
> found the time yet to feed it into the DB.
I did not store the IPs, only checked IPs manually.
>> - self-signed certs popping up along with CA-issued ones seem rather common,
>> sometimes it's just once, sometimes both coexist for long time (e.g.
>> accessanywhere.net, webaccess.gtbankuk.com)
>
> Interesting. Self-signed certs did not appear on "high-value" domains in
> our samples. But that doesn't have to mean anything, of course, we
> haven't tried that many.
In most instances the self-signed cert appears only for a short time (one scan
or day-two out of the 40-day period), which suggests that likely a new machine
was installed or some other reconfiguration was done. I had to look hard for any
"high value" domain.
In your datasets (the difference sets) I've found some webhostings/eshops (e.g.
wesped.com, alyasoft.net). One domain had improper (but not self-signed) certs
that might be considered "high value" (centerstatebank.com), though now it seems
to have proper cert.
> Does this mean you can scan 1.5M+ hostnames in less than 24h? You don't
> conduct full SSL handshakes then, correct?
Correct. The scanner only waits for the TLS Handshake Record with certificates.
Time taken by the scan depends a lot on the scanner location, one finishes
consistently within 4-5 hours, the other between 11-13 hours (in 100 threads).
> Which DB back-end do you use? If it's postgres, I'd be happy to feed it
> into our DB, too, and see what we have.
It's postgres.
Ondrej
More information about the Observatory
mailing list