J.C. Jones jcjones

## README-Downloading_All_CRLs.md

      
              4 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                jcjones
                / README-Downloading_All_CRLs.md
            
            
              Last active
              November 26, 2021 05:33
            
              
                How to try downloading all CRLs in certificates trusted by the Mozilla Root Program
              
          
    How to try downloading all CRLs in certificates trusted by the Mozilla Root Program:

Censys.io SQL query to find all CRLs:
SELECT parsed.extensions.crl_distribution_points
   FROM certificates.certificates
WHERE validation.nss.valid = true
  AND parsed.extensions.crl_distribution_points LIKE 'http%'
  AND parsed.validity.end >= '2017-07-18 00:00'
GROUP BY parsed.extensions.crl_distribution_points


## downloadedCRLs-nssTrusted-2017-08-15.log
Script started on Tue Aug 15 18:54:52 2017

bash-3.2$ wget --recursive --tries 3 --level=1 --force-directories -P downloaded_crls/ --input-file=all_crls.csv --rejected-log=crl-failures.log
[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[1P[1@1[1P[1@2
--2017-08-15 19:00:34--  http://crl.godaddy.com/gdig2s1-367.crl
Resolving crl.godaddy.com... 72.167.18.237
Connecting to crl.godaddy.com|72.167.18.237|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 58276 (57K) [application/pkix-crl]

## password-pwn-check.py
import requests, getpass, hashlib
"""
Uses Troy Hunt's HaveIBeenPwned password check API.
https://haveibeenpwned.com/API/v2#PwnedPasswords
"""

rawpass = getpass.getpass().encode('utf-8')
passhash = hashlib.sha1(rawpass).hexdigest()
print("Checking hash: {}".format(passhash))
r = requests.get("https://haveibeenpwned.com/api/pwnedpassword/{}".format(passhash),

## create_jks_from_nss_keystore.sh
#!/bin/bash

#
# Download the current NSS keystore from Mozilla-Central, and import it into
# a Java Keystore (JKS).
#

function ensure_in_path() {
  prog=$1
  shift

## IssuerToCompanyMap.sql
DROP TABLE IF EXISTS `company`;
DROP TABLE IF EXISTS `issuercompany`;

CREATE TABLE IF NOT EXISTS `company` (
  `companyID` INT NOT NULL AUTO_INCREMENT,
  `companyName` VARCHAR(255) NOT NULL,
  PRIMARY KEY (`companyID`));

CREATE TABLE IF NOT EXISTS `issuercompany` (
  `companyID` INT NOT NULL,

## AvgNumberOfNames.sql
SELECT
    AVG(count)
FROM
    (SELECT
        c.certID,
            (SELECT
                    COUNT(n.name)
                FROM
                    name AS n
                WHERE

## An Early Look at Let's Encrypt's Impact.md

      
              6 files
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                jcjones
                / An Early Look at Let's Encrypt's Impact.md
            
            
              Last active
              February 21, 2016 15:39
            
              
                ct-sql datasets, 2016-02-18
              
          
    From the blog post Early Impacts of Let's Encrypt

  
## letsencrypt-ct-sql-views.sql
CREATE VIEW `le_certificate` AS
    SELECT
        `certificate`.`certID` AS `certID`,
        `certificate`.`serial` AS `serial`,
        `certificate`.`issuerID` AS `issuerID`,
        `certificate`.`subject` AS `subject`,
        `certificate`.`notBefore` AS `notBefore`,
        `certificate`.`notAfter` AS `notAfter`
    FROM
        `certificate`

## letsencrypt-renew.sh
#!/bin/bash
# This is free and unencumbered software released into the public domain.
#
# This script is designed to be run daily by cron. Please run it with randomness in its timing to
# avoid load spikes at Let's Encrypt. One example, running between midnight at 2 AM, would be:
#
# 0 0 * * * sleep $[(RANDOM % 115)+5]m ; /usr/sbin/letsencrypt-renew.sh
#
# If you aren't using Nginx, adjust the startServer and stopServer methods to suit. Also, you could
# use the webroot method.

## user-agents-2016-01-11.csv

          
            user_agent
            _approxcount
            percentage

            
              Go 1.1 package http
              667546
              63.69%

            
              -
              77436
              7.39%

            
              LetsEncryptPythonClient/0.1.1 (Ubuntu 14.04) Authenticator/webroot Installer/none
              35653
              3.40%

            
              LiveConfig (2.0.1)
              25291
              2.41%

            
              Go-http-client/1.1
              24507
              2.34%

            
              acme-python
              22750
              2.17%

            
              LetsEncryptPythonClient/0.1.1 (Ubuntu 15.10) Authenticator/webroot Installer/none
              15648
              1.49%

            
              LetsEncryptPythonClient/0.1.1 (debian 7.9) Authenticator/webroot Installer/none
              14265
              1.36%

            
              LetsEncryptPythonClient/0.1.1 (Ubuntu 12.04) Authenticator/webroot Installer/none
              12466
              1.19%
	Script started on Tue Aug 15 18:54:52 2017

	bash-3.2$ wget --recursive --tries 3 --level=1 --force-directories -P downloaded_crls/ --input-file=all_crls.csv --rejected-log=crl-failures.log
	[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[C[1P[1@1[1P[1@2
	--2017-08-15 19:00:34-- http://crl.godaddy.com/gdig2s1-367.crl
	Resolving crl.godaddy.com... 72.167.18.237
	Connecting to crl.godaddy.com\|72.167.18.237\|:80... connected.
	HTTP request sent, awaiting response... 200 OK
	Length: 58276 (57K) [application/pkix-crl]
	import requests, getpass, hashlib
	"""
	Uses Troy Hunt's HaveIBeenPwned password check API.
	https://haveibeenpwned.com/API/v2#PwnedPasswords
	"""

	rawpass = getpass.getpass().encode('utf-8')
	passhash = hashlib.sha1(rawpass).hexdigest()
	print("Checking hash: {}".format(passhash))
	r = requests.get("https://haveibeenpwned.com/api/pwnedpassword/{}".format(passhash),
	#!/bin/bash

	#
	# Download the current NSS keystore from Mozilla-Central, and import it into
	# a Java Keystore (JKS).
	#

	function ensure_in_path() {
	prog=$1
	shift
	DROP TABLE IF EXISTS `company`;
	DROP TABLE IF EXISTS `issuercompany`;

	CREATE TABLE IF NOT EXISTS `company` (
	`companyID` INT NOT NULL AUTO_INCREMENT,
	`companyName` VARCHAR(255) NOT NULL,
	PRIMARY KEY (`companyID`));

	CREATE TABLE IF NOT EXISTS `issuercompany` (
	`companyID` INT NOT NULL,
	SELECT
	AVG(count)
	FROM
	(SELECT
	c.certID,
	(SELECT
	COUNT(n.name)
	FROM
	name AS n
	WHERE
	CREATE VIEW `le_certificate` AS
	SELECT
	`certificate`.`certID` AS `certID`,
	`certificate`.`serial` AS `serial`,
	`certificate`.`issuerID` AS `issuerID`,
	`certificate`.`subject` AS `subject`,
	`certificate`.`notBefore` AS `notBefore`,
	`certificate`.`notAfter` AS `notAfter`
	FROM
	`certificate`
	#!/bin/bash
	# This is free and unencumbered software released into the public domain.
	#
	# This script is designed to be run daily by cron. Please run it with randomness in its timing to
	# avoid load spikes at Let's Encrypt. One example, running between midnight at 2 AM, would be:
	#
	# 0 0 * * * sleep $[(RANDOM % 115)+5]m ; /usr/sbin/letsencrypt-renew.sh
	#
	# If you aren't using Nginx, adjust the startServer and stopServer methods to suit. Also, you could
	# use the webroot method.
user_agent	_approxcount	percentage
Go 1.1 package http	667546	63.69%
-	77436	7.39%
LetsEncryptPythonClient/0.1.1 (Ubuntu 14.04) Authenticator/webroot Installer/none	35653	3.40%
LiveConfig (2.0.1)	25291	2.41%
Go-http-client/1.1	24507	2.34%
acme-python	22750	2.17%
LetsEncryptPythonClient/0.1.1 (Ubuntu 15.10) Authenticator/webroot Installer/none	15648	1.49%
LetsEncryptPythonClient/0.1.1 (debian 7.9) Authenticator/webroot Installer/none	14265	1.36%
LetsEncryptPythonClient/0.1.1 (Ubuntu 12.04) Authenticator/webroot Installer/none	12466	1.19%