dionaea does https, at least tcp/443 is open and you can establish a tls connection. As you need certificates for ssl, and I felt it was easier to create a self signed certificate during startup than having to mess with openssl to create a self signed certificate, dionaea creates a self signed certificate for ssl services by default.
The EFF decided to grab all https ssl certificates 1), make a torrent and have you play with them.
When the torrent was available, the tracker was down, and for me having a look on the data offered was postponed.
Lately I remembered, downloaded the 4GB torrent, unpacked the file and ended up with ~20G csv.
/tmp/eff/csv-db-files$ ls -alh total 20G 13G ... all-certs.csv 250M ... all-names.csv 3.0G ... certs-seen.csv 3.6G ... valid-certs.csv 74M ... valid-names.csv
The code dionaea uses to create the self signed certificate uses static strings:
X509_NAME_add_entry_by_txt(name,"C", MBSTRING_ASC, (const unsigned char *)"DE", -1, -1, 0); X509_NAME_add_entry_by_txt(name,"CN", MBSTRING_ASC, (const unsigned char *)"Nepenthes Development Team", -1, -1, 0); X509_NAME_add_entry_by_txt(name,"O", MBSTRING_ASC, (const unsigned char *)"dionaea.carnivore.it", -1, -1, 0); X509_NAME_add_entry_by_txt(name,"OU", MBSTRING_ASC, (const unsigned char *)"anv", -1, -1, 0);
These static strings are part of the certificates:
openssl s_client -connect HOST:443 < /dev/null | openssl x509 -outform DER | openssl sha1 depth=0 /C=DE/CN=Nepenthes Development Team/O=dionaea.carnivore.it/OU=anv verify error:num=18:self signed certificate verify return:1 depth=0 /C=DE/CN=Nepenthes Development Team/O=dionaea.carnivore.it/OU=anv verify return:1 DONE
Running grep on the CSV showed some dionaea deployments:
grep dionaea /tmp/eff/csv-db-files/all-certs.csv > dionaea.csv
I used python to retrieve the addresses from the csv:
f = open("dionaea.txt","wb") c = csv.reader(open('dionaea.csv', 'rb'), delimiter=',', quotechar='"') for i in c: f.write("%s\n" % (i[12],)) f.close()
And to check if the hosts were still alive, I decided to use the software the EFF used to retrieve all the certificates:
/tmp/eff/ssl-observatory/scan$ ./FasterCertificateGrabber.py -f dionaea.txt ... Got 5 complete and 0 partial certs out of 154
So, of those hosts only 5 were still alive, which is not that surprising as the majority of addresses seemed to be a single deployment in Australia.
While creating self signed certificates on the fly is convenient, it is easy to fingerprint and index.
At the moment there is no way to mitigate this kind of fingerprinting, it would required user generated certificates -or at least random or dictionary strings for the static part of the certificate- and some bits to load user generated certificates instead of generating them on the fly during startup.
