LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Blogs > sag47
User Name
Password

Notices



Rate this Entry

podupti.me statistics for Diaspora

Posted 10-21-2013 at 12:24 PM by sag47
Updated 10-21-2013 at 02:59 PM by sag47

If you've not heard of Diaspora I recommend you check it out.


Today I was playing with SSL statistics with podupti.me which is a list of publicly hosted Diaspora pods. After viewing their source I found that I could knock against their API to pull domain names. This was more for a personal scripting exercise than anything. I'm sharing the results with you, the reader.

Getting secure host names

I basically ran python code like the following...

Code:
import json
import urllib2
pods=urllib2.urlopen("http://podupti.me/api.php?format=json&key=4r45tg")
pod_data=json.load(pods)
for x in pod_data['pods']:
  if x['secure'] == 'true':
    print x['domain']
From there I assumed if it was deemed to be secure then it would be listening on port 443. I created a text file called "pods" and placed the full list of domain names in there. For some reason one of the servers marked as secure in the API was not actually secure. nmap showed that it only listened on port 80 and openssl verified that there was no certificate negotiation on port 80.

In total, if you don't count the false positive there are currently 72 out of 94 Diaspora pods running with encrypted transport (https). That's fairly impressive. Let's see if we can garnish some general certificate info about the secure pods.

Gathering certificate information
I used the following script to gather certificate information in a general format of "hostname|Issuer|Key Length". It was originally a one liner which I've indented for readability below.

Code:
while read x;do 
  echo -n "$x|"
  openssl s_client -servername $x -connect $x:443 </dev/null 2>/dev/null | openssl x509 -text | awk '
    $1 == "Issuer:" {
      sub(/^ +Issuer: /,"",$0);
      issuer=$0
    };
    $1 == "Public-Key:" {
      sub(/^ +Public-Key: \(/,"",$0);
      sub(/\)$/,"",$0);
      keylength=$0
    }; 
    END{
      print issuer"|"keylength
    }'
done < pods > pod_issuers
Analyzing certificate stats

Public Key Length
Script:
Code:
cut -d\| -f3 pod_issuers | awk '{if($1 == "2048") i++;if($1 == "4096") j++};END{print "2048="i,"4096="j}'
Results:
Code:
2048=51 4096=21
Out of 72 secure Diaspora pods in podupti.me there are 51 2048-bit keys and 21 4096-bit keys.

Issuers

Here's a unique list of issuers among the community (one per line).

Script:
Code:
cut -d\| -f2 pod_issuers | sort -u
Results:
Code:
C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA
C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=PositiveSSL CA 2
C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA
C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Extended Validation Server CA
C=NL, O=TERENA, CN=TERENA SSL CA
C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
C=US, O=GeoTrust, Inc., CN=RapidSSL CA
C=US, O=Thawte, Inc., OU=Domain Validated SSL, CN=Thawte DV SSL CA
C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=07969287
O=AlphaSSL, CN=AlphaSSL CA - G2
Issuers by popularity

Of that unique list, here's the number of servers with whom have been issued the certificates. The CA's are one per line and the first number is the number of servers which that CA has issued a certificate.
Script:
Code:
awk 'BEGIN{FS="|"}{a[$2]++}END{for(x in a) print a[x],x}' pod_issuers | sort -nr
Results:
Code:
48 C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
6 C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA
6 C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=PositiveSSL CA 2
3 C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA
2 C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=07969287
2 C=US, O=GeoTrust, Inc., CN=RapidSSL CA
1 O=AlphaSSL, CN=AlphaSSL CA - G2
1 C=US, O=Thawte, Inc., OU=Domain Validated SSL, CN=Thawte DV SSL CA
1 C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
1 C=NL, O=TERENA, CN=TERENA SSL CA
1 C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Extended Validation Server CA
By far the most popular certificate issued is the StartCom Class 1 certificate (issued to 48 servers; more than half!). That makes sense because a pod admin need only to verify ownership of their email and the domain name in order to be issued StartCom Class 1 certificates free of charge. If you can think of some other way I can analyze these certificates feel free to post a comment and I'll update this blog post!

SAM
Posted in Uncategorized
Views 484 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 07:55 AM.

Main Menu
Advertisement

Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration