cisagov / pshtt

Scan domains and return data based on HTTPS best practices
Creative Commons Zero v1.0 Universal
674 stars 81 forks source link

Distinguish incomplete chains from untrusted roots #25

Open h-m-f-t opened 8 years ago

h-m-f-t commented 8 years ago

At least in a naïve fashion, flagging likely incomplete chains from untrusted roots should be feasible by counting the number of certificates returned in "Certificate Chain Received" from sslyze. requests may also return something that could be useful.

I recallopenssl returns a 'depth' value, which, when a site is less than 2 deep, is a strong indication intermediate certs are not served, making the chain incomplete. If depth<2 and the certificate is not trusted in the Mozilla store, this seems to indicate an incomplete chain, while depth>=2 seems to indicate an untrusted root.

konklone commented 7 years ago

This remains a great idea, if we can somehow distinguish those things. I think it means going beyond sslyze's STDOUT output and digging into the (new) Python API in some way.