servercert
list
servercert | list | |
---|---|---|
10 | 53 | |
163 | 2,136 | |
1.8% | 3.9% | |
6.3 | 9.6 | |
16 days ago | 5 days ago | |
CSS | Go | |
- | Mozilla Public License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
servercert
- SSL certificate lifetimes are going down. Dates proposed. 45 days by 2027
- CA/Browser Forum SC-081: Introduce Schedule of Reducing Validity Periods
- WebPKI – Introduce Schedule of Reducing Validity (Of TLS Server Certificates)
-
We Spent $20 to Achieve RCE and Accidentally Became the Admins of .MOBI
The current CAB Forum Baseline Requirements call for "Multi-Perspective Issuance Corroboration" [1] i.e. make sure the DNS or HTTP challenge looks the same from several different data centres in different countries.
[1] https://github.com/cabforum/servercert/blob/main/docs/BR.md#...
-
DigiCert Revocation Incident (Cname Domain Validation)
There's no prohibition against issuing certificates for names on the Public Suffix List.
BR 3.2.2.6 prohibits issuing a wildcard certificate for an entire public suffix unless the "Applicant proves its rightful control of the entire Domain Namespace" (without specifying how this should be done - arguably, publishing a DNS record would qualify) but also says that CAs should use the "ICANN DOMAINS" section of the PSL only, not the "PRIVATE DOMAINS" section, so domains for dynamic DNS providers and the like wouldn't be included in any case. [https://github.com/cabforum/servercert/blob/main/docs/BR.md#...]
-
All I Know About Certificates – Certificate Authority
That's because some people came along and produced a parallel standard [1] adding loads more rules, clarifications and constraints to convert X509 into something approximately fit for purpose.
[1] https://github.com/cabforum/servercert
-
Does my site need HTTPS?
This is permitted: https://github.com/cabforum/servercert/blob/main/docs/BR.md#...
But it hasn't really caught on; a lot of registrars don't seem to want the complexity of being (or integrating with) a CA, and vice versa.
-
Let's Encrypt: Issue with TLS-ALPN-01 Validation Method
It is unfortunate. It's required: https://github.com/cabforum/servercert/blob/main/docs/BR.md#...
-
MarkMonitor left 60k domains for the taking
No, they don't have to MitM the CA's domain validation request. While they have brief control over the website, they use domain validation method 3.2.2.4.18 (Agreed-Upon Change to Website v2)[1] or 3.2.2.4.19 (Agreed-Upon Change to Website - ACME)[2] to legitimately complete domain validation by making a change to the website.
[1] https://github.com/cabforum/servercert/blob/cda0f92ee70121fd...
- A safer default for navigation: HTTPS
list
-
uBlock Origin supports filtering CNAME cloaking sites on Firefox now
...Unless you're savvy. Thank goodness for the availability of https://publicsuffix.org/ (as long as you only use your main domain and don't need to share cookies with your own subdomains), and the includeSubDomains directive to HSTS! But - if you already set this up, you probably are savvy enough to avoid the problems created (or your provider is)
-
Public Suffix List
In addition to the fact that .gov.uk and .ac.uk does exist in this list, which has two logical sections where the first section is for official TLDs and the second section is for custom domains, the PSL is effectively being used for additional origin protection: foo.gov.uk and bar.gov.uk should have separate origins because, of course, they can and normally be operated by different entities. So as long as such things can happen, the public registration is not really mandatory for being included to the PSL. (One particular exception is that a generated domain for all possible IP addresses [1], which technically benefit from the inclusion but the maintainers don't want to endorse such unsafe services.)
[1] https://github.com/publicsuffix/list/wiki/Guidelines#validat...
-
We Spent $20 to Achieve RCE and Accidentally Became the Admins of .MOBI
> if a user uploaded something like an html file, you wouldn't want it to be able to run javascript on google.com (because then you can steal cookies and do bad stuff)
Cookies are the only problem here, as far as I know, everything else should be sequestered by origin, which includes the full domain name. Cookies predate the same-origin policy and so browsers scope them using their best guess at what the topmost single-owner domain name is, using—I kid you not—a compiled-in list[1]. (It’s as terrifying as it sounds.)
[1] https://publicsuffix.org/
-
SSL Certificate Pinning in Flutter
Let’s start with the endmost certificates. They are usually bound to a given top-level domain (or more precisely — the public suffix). For example, a certificate may be issued to www.thedroidsonroids.com. It may also be a wildcard applicable to any subdomain (like *.thedroidsonroids.com).
-
ICANN's list of abandoned vanity TLDs, which now has about 134 entries
I assume you’re using Mozilla’s public suffix list? https://publicsuffix.org/
We have something similar that keeps it updated on a regular basis as well. We used to wait until someone complained, but it changes so often it’s the only reasonable way to deal with it.
-
Universities Lost the Internet
perfect use case for the public suffix list (https://github.com/publicsuffix/list)
-
How I Accidentally Made My Link Shortener into a Malware Honeypot
I just made up `blogger.com` as an example. I probably could have picked a better one. `blogspot.com` & its many TLD variations are on the list.
It looks like the repo where the list is maintained [1] is pretty active. YMMV, I'm not a maintainer or anything..
[1] https://github.com/publicsuffix/list
- The Public Suffix List
-
Ask HN: How does HN determine the site that a submission belongs to?
There's the Public Suffix List https://publicsuffix.org/ but it's limited to domain names, so your github.com/rails example isn't covered. I'm pretty sure HN simply has a manually coded list of URL patterns for popular domains.
What are some alternatives?
cert-gen - Generate CA and self-signed SSL certificates usable in your browser for local development.
fingerprintjs - The most advanced browser fingerprinting library.
acme-dns - Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
atrium - Rust libraries for Bluesky's AT Protocol services.
devcert-cli - A CLI wrapper for devcert, to manage development SSL/TLS certificates and domains
sansio-tld-parser - A top level domain parser with no builtin io.
devcert - Local HTTPS development made easy
chromium - The official GitHub mirror of the Chromium source
pykka - 🌀 Pykka makes it easier to build concurrent Python applications.
nix-tests - A scratchpad for small experimental things I am doing with Nix.
duckduckgo-locales - Translation files for <a href="https://duckduckgo.com"> </a>
psl-problems