
The EFF SSL Observatory - zoowar
https://www.eff.org/observatory
======
chalst
What's the purpose? I've read the EFF page three times, and I guess that they
want to build up a database so that they can pressure CAs to follow good
practices, but it's not really clear.

~~~
asymptotic
The slidedecks from two presentations are far more interesting and
enlightening than the original post, which instead refers to a new batch of
available data.

From DEFCON18, titled "An Observatory for the SSLiverse":
<https://www.eff.org/files/DefconSSLiverse.pdf>

From the 27th Chaos Communication Congress, titled "Is the SSLiverse a Safe
Place?" <https://www.eff.org/files/ccc2010.pdf>

The methodology is to nmap all IPs for open port 443s from a tiny three-
machine cluster, and if the port is open launch a simple Python client that
initiates an SSL handshake but stops before sending its own key. They then
dump absolutely everything the server tells them into a MySQL database.

The purpose isn't just to pressure CAs; for me an enlightening and disturbing
fact is just how many trusted CA certs there are. They observed 1,482 CA
certificates from _651 organisations_ trusted by Windows and Firefox! 651!

There are examples of CAs signing "192.168.1.2" and "localhost", two CA
certificates signed with 508-bit RSA keys, etc. Quite interesting.

------
mkelly
Interesting read. It reminds me that projects like monkeysphere
(<http://web.monkeysphere.info>) are out there, which tries to address some of
this.

