On Tue, May 10, 2016 at 06:18:14AM +0000, Peter Palfrader wrote:
On Mon, 09 May 2016, Paul Syverson wrote:
Thanks Juha. This is useful.
I wonder why http://api.ctwatch.net/domain/onion seems to miss so many of these.
I looked at a small subset of this long list, but I didn't find any services that actually had a valid cert with the .onion as a SAN.
Yes. Juha sent a list of all the onionsites using https that he knew about. Many of those are self-signed. But several _do_ have a .onion SAN in an EV cert and aren't listed. For example, the ProPublica site he mentioned and the Intercept SecureDrop site that Runa mentioned. I found others, so something is still surprising here. I wonder if this is worth reporting to the CT folk, and if so how.
aloha, Paul