On 21/1/09 15:50, Johnathan Nightingale wrote:
Hi folks,
I just posted a blog entry here about a side project I've had running
for a little while:
http://blog.johnath.com/2009/01/21/ssl-information-wants-to-be-free/
The very short version is that I crawled the top 1M sites (according to
Alexa) to harvest some basic SSL information, including the end-entity
certs, and dumped it all into an SQLite database. I throw out a couple
of potential analysis topics in the blog post, but my hope is that this
is a group that can suggest other interesting questions that a DB of
~380,000 certs (approximately 215,000 of which are valid, CA-signed) can
answer. The DB and the (albeit terrible) crawler code is publicly
available, of course, and linked to from the post. If nothing else,
perhaps those certs would make an interesting NSS unit test. :)
Is this useful for people? My sense is that we've been lacking this
information (except from paid sources) for some time, but I'd like to
hear whether anyone in this group finds it helpful to have.
I think it is exceedingly useful. Just the metric that of the 380k
certs, around 215k are "PKI-valid" is a worthwhile number, a metric.
The MD5 charts look like they could be the basis of deciding the
execution date.
How about a 1% rule? When something suspect crosses to only 1% of
certs, it's dead.
SecuritySpace used to publish great reports on these things, basically
as a loss-leader to build their business to compete with Netcraft. Now
they don't publish them so I guess they succeeded :)
It would be great to replace them with something open and shared. To
the extent that Mozo can do this I think it is a very worthwhile
project. We need numbers to back up our raging claims.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
