[guardian-dev] critical fixes to OnionKit's StrongTrustManager

Tom Ritter tom at ritter.vg
Tue Mar 12 09:09:24 EDT 2013


On 12 March 2013 03:49, Nathan of Guardian <nathan at guardianproject.info> wrote:
> Also, I am looking fun malicious certs/chains to run through test cases
> for this code, or pointers on a quick way to generate a comprehensive
> set of bad certs.
>
> Is there a repository somewhere of bad certs? Perhaps from malicious Tor
> exit nodes?

A few people have talked about setting up testbeds, and jjarmoc had
one for a short while but it's now down.  A list of things you may
want to add checks for and/or code against:

 - Path Length Constraints (IIRC there's a Korean CA that relies on
these more than they should)
 - Name Constraints
 - Overbroad Wildcard Certs: *.com, *.*
 - Certs for internal domains or domains not on the
http://publicsuffix.org/ list
 - MD5 signatures
 - Short Public moduli
 - Debian Weak Key
 - Factorizable public key

-tom


More information about the Guardian-dev mailing list