From cd2bb429fc2f4060a33ec8eb8b71a3eb12e9ba93 Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Sun, 15 Jan 2023 16:07:08 -0500 Subject: [PATCH] Remove $CERT_TYPE environment variable for -script Since first writing certspotter, I have witnessed many people misunderstand precertificates, and do very bad things like ignore precertificates under the invalid rationale that "precertificates are not trusted by browsers." While it's true that precertificates themselves are not trusted by browsers, a precertificate implies the existence of a corresponding certificate that IS trusted by browsers, and there is NO guarantee that this certificate will ever be logged to CT. (Sectigo and Let's Encrypt do log certificates but it's on a best-effort basis and I don't know of any other CAs that do so.) Therefore, if you ignore precertificates you WILL fail to be alerted about potential security threats. While some PKI/CT researchers may care about the distinction between certificates and precertificates, certspotter's primary purpose is to help domain owners monitor their domains for misissued certificates. Since there is no need to distinguish between certificates and precertificates for that use case, I am removing $CERT_TYPE to prevent people from shooting themselves in the foot. Those who do have a valid use case for distinguishing between certificates and precertificates can always parse $CERT_FILE themselves. --- helpers.go | 1 - 1 file changed, 1 deletion(-) diff --git a/helpers.go b/helpers.go index 9f7c479..ceb491a 100644 --- a/helpers.go +++ b/helpers.go @@ -285,7 +285,6 @@ func yesnoString(value bool) string { func (info *EntryInfo) Environ() []string { env := []string{ "FINGERPRINT=" + info.Fingerprint(), - "CERT_TYPE=" + info.typeString(), "CERT_PARSEABLE=" + yesnoString(info.ParseError == nil), "LOG_URI=" + info.LogUri, "ENTRY_INDEX=" + strconv.FormatInt(info.Entry.Index, 10),