Remove $CERT_TYPE environment variable for -script
Since first writing certspotter, I have witnessed many people misunderstand precertificates, and do very bad things like ignore precertificates under the invalid rationale that "precertificates are not trusted by browsers." While it's true that precertificates themselves are not trusted by browsers, a precertificate implies the existence of a corresponding certificate that IS trusted by browsers, and there is NO guarantee that this certificate will ever be logged to CT. (Sectigo and Let's Encrypt do log certificates but it's on a best-effort basis and I don't know of any other CAs that do so.) Therefore, if you ignore precertificates you WILL fail to be alerted about potential security threats. While some PKI/CT researchers may care about the distinction between certificates and precertificates, certspotter's primary purpose is to help domain owners monitor their domains for misissued certificates. Since there is no need to distinguish between certificates and precertificates for that use case, I am removing $CERT_TYPE to prevent people from shooting themselves in the foot. Those who do have a valid use case for distinguishing between certificates and precertificates can always parse $CERT_FILE themselves.
This commit is contained in:
parent
33ebbdfd07
commit
cd2bb429fc
|
@ -285,7 +285,6 @@ func yesnoString(value bool) string {
|
||||||
func (info *EntryInfo) Environ() []string {
|
func (info *EntryInfo) Environ() []string {
|
||||||
env := []string{
|
env := []string{
|
||||||
"FINGERPRINT=" + info.Fingerprint(),
|
"FINGERPRINT=" + info.Fingerprint(),
|
||||||
"CERT_TYPE=" + info.typeString(),
|
|
||||||
"CERT_PARSEABLE=" + yesnoString(info.ParseError == nil),
|
"CERT_PARSEABLE=" + yesnoString(info.ParseError == nil),
|
||||||
"LOG_URI=" + info.LogUri,
|
"LOG_URI=" + info.LogUri,
|
||||||
"ENTRY_INDEX=" + strconv.FormatInt(info.Entry.Index, 10),
|
"ENTRY_INDEX=" + strconv.FormatInt(info.Entry.Index, 10),
|
||||||
|
|
Loading…
Reference in New Issue