Closed adamdecaf closed 6 years ago
I ran generations over my browser history and found a lot of intermediate certs. The grouping could be a bit better I bet.
$ ./cert-manage gen-whitelist -from chrome -out wh.json CA DNSName Count Example DNSNames DigiCert Inc 4ffec029b6ffbe9d 740 statuspage.io, 3down.mit.edu, ac.sterda.com, adltrust.kinnser.com, amtrust.kinnser.com Google Inc bc98a2682670e92a 68 *.google.com, *.android.com, *.appengine.google.com, *.cloud.google.com, *.db833953.google.cn GoDaddy.com, Inc., http://certs.godaddy.com/repository/ ffaf6affa8c3362c 67 sni194015.cloudflaressl.com, *.bikelights.info, *.bosen.info, *.careerdev.info, *.cbcat.ru GoDaddy.com, Inc., http://certs.godaddy.com/repository/ 7974ebe3fc476e08 8 emacs.org, gnu.org, hurd.gnu.org, www.freesoftware.fsf.org, www.gnu.org Symantec Corporation, Symantec Trust Network 3e203bc509a032cc 6 freecampsites.net, intergalacticdata.com, intergalacticdata.net, rvdumpsites.com, rvdumpsites.net Let's Encrypt 7c6249926f62b3ea 4 *.jackhenry.com, jackhenry.com, jhaextadfs.jackhenry.com, esdadfs.jackhenry.com thawte, Inc. cdfd2bdc576fed2e 3 asciinema.org, staging.asciinema.org, www.asciinema.org Symantec Corporation, Symantec Trust Network b5d004b2da8b77f9 3 www.starbucks.com, globalassetshost.starbucks.com, starbucks.com
$ ./cert-manage gen-whitelist -from firefox -out wh.json CA DNSName Count Example DNSNames DigiCert Inc, www.digicert.com 8a43602dc67d8c59 740 statuspage.io, 3down.mit.edu, ac.sterda.com, adltrust.kinnser.com, amtrust.kinnser.com DigiCert Inc, www.digicert.com 2fe3a029a23d5e6d 566 ssl001.insnw.net, *.adage.com, *.aovstats.com, *.apw21.com, *.apwcontent.com DigiCert Inc, www.digicert.com 2fe3a029a23d5e6d 343 gannett.com, usatoday.com, *.usatoday.com, alamogordonews.com, *.alamogordonews.com Google Inc 211072c114b98add 336 misc.google.com, *.actions.google.com, *.adgoogle.net, *.admeld.com, *.advertiserscommunity.com Google Trust Services 8689a0f6f2606db8 233 *.dev.volcanic.uk, *.production.volcanic.uk, *.staging.volcanic.uk, ap.talentinternational.com, app.pointjobs.co.uk DigiCert Inc 52a64ba469b0bfb6 163 misc-sni.blogspot.com, *.au.daily.alpha.blogspot.com, *.au.gaia.alpha.blogspot.com, *.au.prod.alpha.blogspot.com, *.au.weekly.alpha.blogspot.com DigiCert Inc ba000b8e9b1a7491 159 misc-sni.google.com, *.1ucrs.com, *.abc.xyz, *.adsensecustomsearchads.com, *.ampproject.com DigiCert Inc, www.digicert.com 25fe3932d9638c8a 147 k.ssl.fastly.net, *.bitconveyor.com, *.businessinsider.de, *.cache.pointinside.com, *.cargurus.com DigiCert Inc, www.digicert.com 74f6291c89352c39 146 ns-vip-02.sys.kth.se, intra.abe.kth.se, intra.bio.kth.se, intra.che.kth.se, intra.csc.kth.se DigiCert Inc, www.digicert.com 334105950462aeab 144 i.ssl.fastly.net, *.am-autoparts.com, *.am-autopartsqa.com, *.i.ssl.fastly.net, *.s.tmol.io Let's Encrypt d8a3987029382fe8 144 incapsula.com, *.acc.co.id, *.adpost.com, *.amwaynet.com.tw, *.asiaforgood.com COMODO CA Limited 993f509faf2d0504 143 f4.shared.global.fastly.net, *.500px.com, *.500px.net, *.500px.org, *.acceptance.habitat.sh Let's Encrypt 47bc22f69a2e5701 133 e2.shared.global.fastly.net, *.alpagot.net, *.be-me.co, *.beme.com, *.bridestory.com DigiCert Inc, www.digicert.com 9396c5035bc84f73 127 j.ssl.fastly.net, *.compatiblepartners.net, *.eharmony.ca, *.eharmony.co.uk, *.eharmony.com Amazon, Server CA 1B 223b1e3a385738e3 123 j2.shared.global.fastly.net, *.a2presse.fr, *.adventistbookcenter.com, *.api.lolesports.com, *.baatch.com Symantec Corporation, Symantec Trust Network 7714d5c429d2af9b 122 g2.shared.global.fastly.net, *.abritel.fr, *.admailtiser.com, *.apartmenttherapy.com, *.b12sites.com Google Inc fdefc4e1397ea879 122 m.ssl.fastly.net, *.7digital.com, *.7static.com, *.activistmonitor.com, *.adwerx.com DigiCert Inc fa18d0c1ce71aef1 122 d2.shared.global.fastly.net, *.1101.com, *.acurisdatasolutions.com, *.alarmgrid.com, *.anywhere.com DigiCert Inc, www.digicert.com 2cb0d0ceb3721630 116 n.ssl.fastly.net, *.1bleacherreport.com, *.anywherebelize.com, *.anywherecostarica.com, *.anywherecuba.com Google Inc bc98a2682670e92a 111 r.ssl.fastly.net, *.addthis.com, *.addthisedge.com, *.adwerx.com, *.alittlecraft.com DigiCert Inc 48c8c528c5972465 110 us.linkedin.com, ae.linkedin.com, ar.linkedin.com, au.linkedin.com, be.linkedin.com COMODO CA Limited b7f7c0e2b50d3ce8 104 craigslist.org, *.cl.com, *.cl.uk, *.craigslist.at, *.craigslist.be GeoTrust Inc. 41e02e781afc1ba6 100 abbyabas.com, angular.run, bensonapp.com, billc.cc, buzzotter.com Let's Encrypt d29b53d2babc4013 100 121.care, 5637641986899968-fe3.pantheonsite.io, 8xrentals.com, agifabricators.com, americanturfandtree.com Amazon, Server CA 1B 0b5e434708f2afb5 100 5767409591910400-fe4.pantheonsite.io, aileyextension.com, alvinailey.org, ask.alvinailey.org, atc.usenix.org Let's Encrypt 13dd79371f4ebd44 100 1301colorado.com, 5667908084563968-fe2.pantheonsite.io, adirondackestates.com, aecpropertytax.com, afscmeatwork.org Internet2, InCommon c211e0232c0fdf9e 99 sni36037.cloudflaressl.com, *.aniajarda.com, *.autonomiesante.ca, *.beautyandbridalbylaura.co.uk, *.begriffagency.ru GeoTrust Inc. b9332a41b363f119 99 sni66495.cloudflaressl.com, *.aclusocal.org, *.brownadipose.com, *.cleareye.com, *.coatednails.com Let's Encrypt 4a1a7a7ce1eb6917 99 sni29581.cloudflaressl.com, *.03loveandroid.ml, *.0designdesktop7.gq, *.0pattern97.tk, *.3807.gq GoDaddy.com, Inc., http://certs.godaddy.com/repository/ 5ddfe568bd34e26c 99 sni24077.cloudflaressl.com, *.aafdcyerwqo.gq, *.abc-wages.com, *.activehackers.com, *.anvfxvxgzdn.ml
The long tail is even more severe.
I ran generations over my browser history and found a lot of intermediate certs. The grouping could be a bit better I bet.