Remove $CERT_TYPE environment variable for -script

Since first writing certspotter, I have witnessed many people
misunderstand precertificates, and do very bad things like ignore
precertificates under the invalid rationale that "precertificates
are not trusted by browsers."  While it's true that precertificates
themselves are not trusted by browsers, a precertificate implies the
existence of a corresponding certificate that IS trusted by browsers,
and there is NO guarantee that this certificate will ever be logged to CT.
(Sectigo and Let's Encrypt do log certificates but it's on a best-effort
basis and I don't know of any other CAs that do so.)  Therefore, if
you ignore precertificates you WILL fail to be alerted about potential
security threats.

While some PKI/CT researchers may care about the distinction between
certificates and precertificates, certspotter's primary purpose is to
help domain owners monitor their domains for misissued certificates.
Since there is no need to distinguish between certificates and
precertificates for that use case, I am removing $CERT_TYPE to prevent
people from shooting themselves in the foot.  Those who do have a valid
use case for distinguishing between certificates and precertificates
can always parse $CERT_FILE themselves.
This commit is contained in:
Andrew Ayer 2023-01-15 16:07:08 -05:00
parent 33ebbdfd07
commit cd2bb429fc
1 changed files with 0 additions and 1 deletions

View File

@ -285,7 +285,6 @@ func yesnoString(value bool) string {
func (info *EntryInfo) Environ() []string { func (info *EntryInfo) Environ() []string {
env := []string{ env := []string{
"FINGERPRINT=" + info.Fingerprint(), "FINGERPRINT=" + info.Fingerprint(),
"CERT_TYPE=" + info.typeString(),
"CERT_PARSEABLE=" + yesnoString(info.ParseError == nil), "CERT_PARSEABLE=" + yesnoString(info.ParseError == nil),
"LOG_URI=" + info.LogUri, "LOG_URI=" + info.LogUri,
"ENTRY_INDEX=" + strconv.FormatInt(info.Entry.Index, 10), "ENTRY_INDEX=" + strconv.FormatInt(info.Entry.Index, 10),