[Emerging-Sigs] Sig for generic fake SSL cert used by Trojan campaign

Mike Lococo mikelococo at gmail.com
Tue Oct 19 13:54:53 EDT 2010


> I read in the September threads that you were considering putting it
> in disabled by default because you didn't want to appear to pick on a
> company.  I would suggest that since malware authors are using these
> sigs, at least moving the default SSL certs to enabled by default
> since I don't think Internet Widgets Pty will mind.

Matt already agreed to enable these by default, but as an aside... it's
worth noting that Internet Widgets Pty won't be offended because it
isn't a real company.  They're just a demo field in the OpenSSL Demo CA
cert.  Discussion about picking on real companies was in relation to
using these sigs to detect certs issued by potentially untrustworthy
real-world Certificate Authorities, similar to what the SSL
Obervervatory is doing:

https://www.eff.org/observatory

No "untrustworthy CA" sigs were included since there isn't currently any
public evidence of CA's acting in bad faith and there are hundreds of
potential CA's to be suspicious of (and less than 30 in wide use).

Cheers,
Mike Lococo


More information about the Emerging-sigs mailing list