(bugzilla.mozilla.org)

1318 points xvector | 1 comments | 04 May 19 01:31 UTC | HN request time: 0.315s | source

Show context

needle0 ◴[04 May 19 01:56 UTC] No.19823806[source]▶

>>19823701 (OP) #

I’ll still keep using Firefox since I recognize the importance of browser diversity and the hazards of a Chrome monoculture (that and vertical tabs), but, yikes.

Still, this type of oversight seems all too common even in large companies. I remember several cases from Fortune 500 companies in the past few years alone. What would be a good way to automate checking for them? Has anyone developed a tool designed specifically to avoid certificate expiry disasters?

replies(18): >>19823825 #>>19823829 #>>19823831 #>>19823840 #>>19823848 #>>19823861 #>>19823913 #>>19823994 #>>19824009 #>>19824223 #>>19824243 #>>19824298 #>>19824668 #>>19824724 #>>19824795 #>>19824840 #>>19824927 #>>19825103 #

1. rixed ◴[04 May 19 07:04 UTC] No.19824927[source]▶

>>19823806 #

> Has anyone developed a tool designed specifically to avoid certificate expiry disasters?

Not perfect, but I've added a TLS certificate extraction tool into a DPI that displays all visible certificates ordered by expiry date.

One could then mirror all one's site traffic to it and let it run in the background. Coupled with some alerting tool it would catch most of those cases I guess.

I could polish the tool a bit more if there is some interest, but anyone could do it as well.

See

https://github.com/rixed/junkie

and more specifically the plugin called 'sslogram'.

↑

All extensions disabled due to expiration of intermediate signing cert