[guardian-dev] critical fixes to OnionKit's StrongTrustManager
Tom Ritter
tom at ritter.vg
Tue Mar 12 09:09:24 EDT 2013
On 12 March 2013 03:49, Nathan of Guardian <nathan at guardianproject.info> wrote:
> Also, I am looking fun malicious certs/chains to run through test cases
> for this code, or pointers on a quick way to generate a comprehensive
> set of bad certs.
>
> Is there a repository somewhere of bad certs? Perhaps from malicious Tor
> exit nodes?
A few people have talked about setting up testbeds, and jjarmoc had
one for a short while but it's now down. A list of things you may
want to add checks for and/or code against:
- Path Length Constraints (IIRC there's a Korean CA that relies on
these more than they should)
- Name Constraints
- Overbroad Wildcard Certs: *.com, *.*
- Certs for internal domains or domains not on the
http://publicsuffix.org/ list
- MD5 signatures
- Short Public moduli
- Debian Weak Key
- Factorizable public key
-tom
More information about the Guardian-dev
mailing list