[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #33602 [Internal Services/Services Admin Team]: monitor certificate transparency log

#33602: monitor certificate transparency log
-------------------------------------------------+-------------------------
 Reporter:  anarcat                              |          Owner:  (none)
     Type:  task                                 |         Status:  new
 Priority:  Low                                  |      Milestone:
Component:  Internal Services/Services Admin     |        Version:
  Team                                           |
 Severity:  Major                                |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Description changed by anarcat:

Old description:

> we should use something like SSLMate.com or certspotter to monitor
> certificates issued in our place.
>
> https://github.com/SSLMate/certspotter
>
> this could be ran on nevii, nagios or pauli. it's unclear what we should
> do with the output, there will be possibly be lots of false positive, as
> the certificates will appear in our logs every time one of our cert is
> (legitimitely) renewed.
>
> it's a debian package since buster. i ran a test locally, and it's
> basically:
>
> {{{
> sed 's/ /\n/g;/^#/d;/^ *$/d' letsencryt-domains/domains  | sort |
> certspotter -watchlist -
> }}}

New description:

 we should use something like SSLMate.com or certspotter to monitor
 certificates issued in our place.

 https://github.com/SSLMate/certspotter

 this could be ran on nevii, nagios or pauli. it's unclear what we should
 do with the output, there will be possibly be lots of false positive, as
 the certificates will appear in our logs every time one of our cert is
 (legitimitely) renewed.

 it's a debian package since buster. i ran a test locally, and it's
 basically:

 {{{
 sed 's/ /\n/g;/^#/d;/^ *$/d' letsencryt-domains/domains  | sort |
 certspotter -watchlist -
 }}}

 the key trick however, is to *not* warn *when* a new cert is renewed.
 therefore we would need to be somewhat clever and recognize our own
 certificates in there and filter those out.

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33602#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs