_Footer.md
... ...
@@ -1 +1 @@
1
-Hosted by: [mortzu](mailto:[email protected]), [xuu](mailto:[email protected]) | Accessible via: [Internet](https://dn42.net/), [dn42](https://internal.dn42), [tor](http://jsptropkiix3ki5u.onion), [i2p](http://beb6v2i4jevo72vvnx6segsk4zv3pu3prbwcfuta3bzrcv7boy2q.b32.i2p/)
... ...
\ No newline at end of file
0
+Hosted by: [mortzu](mailto:[email protected]), [xuu](mailto:[email protected]) | Accessible via: [dn42](http://internal.dn42), [tor](http://jsptropkiix3ki5u.onion), [i2p](http://beb6v2i4jevo72vvnx6segsk4zv3pu3prbwcfuta3bzrcv7boy2q.b32.i2p/)
... ...
\ No newline at end of file
services/Certificate-Authority.md
... ...
@@ -50,18 +50,18 @@ which will show among other things:
50 50
51 51
The following sites have been set up to demonstrate the CA failing to sign arbitrary domains:
52 52
53
-* [badkey.sour.is](https://badkey.sour.is)
54
-* [badkey.xuu.me](https://badkey.xuu.me)
55
-* [badkey.xuu.dn42](https://badkey.xuu.dn42)
53
+* [badkey.sour.is](https://badkey.sour.is) - Host is in HSTS preload with key pinning. The browser should fail because the keypin does not match.
54
+* [badkey.xuu.me](https://badkey.xuu.me) - Hostname is outside of domain allowed list.
55
+* [badkey.internal.dn42](https://badkey.internal.dn42) - Valid hostname and keypinned. But certificate contains bad subject alternate names.
56 56
57 57
They all use the same certificate, that should be regarded invalid by whatever software you use because of
58 58
```
59
+ Subject: CN=badkey.sour.is
60
+[...]
59 61
X509v3 Subject Alternative Name:
60
- DNS:badkey.internal.dn42, DNS:badkey.sour.is, DNS:badkey.xuu.me, DNS:google.com, DNS:*.com, DNS:*.*
61
-
62
+ DNS:badkey.sour.is, DNS:badkey.xuu.me, DNS:badkey.xuu.dn42, DNS:*
62 63
63 64
```
64
-even though the subject says `CN=badkey.internal.dn42`, which would be allowed.
65 65
66 66
## Importing the certificate
67 67