Jacob Hoffman-Andrews jsha

## Comcast STARTTLS incorrect cert chain
$ openssl s_client -starttls smtp -connect mx1.comcast.com:25 -showcerts -CApath /usr/share/ca-certificates/mozilla/
CONNECTED(00000003)
depth=0 C = US, postalCode = 19103, ST = PA, L = Philadelphia, street = 1 Comcast Center, O = Comcast Corporation, OU = Hosted by Comcast Corporation, OU = EliteSSL, CN = mx1.comcast.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, postalCode = 19103, ST = PA, L = Philadelphia, street = 1 Comcast Center, O = Comcast Corporation, OU = Hosted by Comcast Corporation, OU = EliteSSL, CN = mx1.comcast.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, postalCode = 19103, ST = PA, L = Philadelphia, street = 1 Comcast Center, O = Comcast Corporation, OU = Hosted by Comcast Corporation, OU = EliteSSL, CN = mx1.comcast.com
verify error:num=21:unable to verify the first certificate

## Shell recipe for validating git tags
DOMAIN=com.example    # pre-sanitized
POLICY_FILE=policy-files/$DOMAIN.json
git pull
# retrieve all tags on commits that changed $POLICY_FILE
# (with the additional constraint that at least one of the tags on each commit should be
# named like example.com.2014.06.01.serial)
# the git log output looks like: (tag: tagname1, tag: tagname2, headname1, headname2)
TAGS=`git log --pretty=%d | egrep -o "[( ]tag: $DOMAIN[0-9\.]+" | cut -d":" -f 2`

for TAG in $TAGS ; do

## gist:6e88d507132c5e52d35d
var request = require('request');
function go() {
  request('https://api.twitter.com/robots.txt', function (error, response, body) {
    console.log(body);
  })
}
setInterval(go, 1000);

## gist:b1ee4682cfd96fcde15a
# mail.example.com should be one of the results of a `dig +short mx example.com`
# Note that your provider might block all port 25.
# If STARTTLS header is missing or mangled, but https://starttls.info/ shows example.com as supporting STARTTLS,
# there might be a downgrade going on.
(echo EHLO foo ; sleep 3) | nc mail.example.com 25

## gist:cbd20a49a889927d4ee3
if &diff
  set ro
  map n ]czz
  map p [czz
  map q :qa<CR>
  map Q :cquit<CR>
  set t_Co=256
  set background=dark
  colorscheme peaksea
endif

## gist:f25416034b4bd96db7da
https://github.com/EFForg/https-everywhere/pull/1951 disables 744 rulesets. Here are their filenames, without the .xml:

Disabled rulesets that contain a hostname matching the Alex top 1k domains:
Alipay.com
Kohls
Udemy.com
Virtual_News_Center
William-Hill
Yandex.com.tr
Youm7.com

## gist:b12b12ac71f0d6d89e85
--
-- Table structure for table `Actions`
--

DROP TABLE IF EXISTS `Actions`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `Actions` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `source_uid` varchar(20) COLLATE utf8mb4_unicode_ci DEFAULT NULL,

## gist:928a5b3c0ff352a1cd0f
cookie: <div id=cookie> </div>
<? setcookie('c', rand()) ?>
<script type="text/javascript" >
function reqListener () {
console.log(document.cookie);
  document.getElementById('cookie').innerHTML = document.cookie;
}

function fetch() {
  var oReq = new XMLHttpRequest();

## gist:37dcdd3a460bccfd3bd8
MIIE/AoBAKCCBPUwggTxBgkrBgEFBQcwAQEEggTiMIIE3jCBqqADAgEAoSEwHzEdMBsGA1UEAwwU
aGFwcHkgaGFja2VyIGZha2UgQ0EXDTE1MDgwNDE2MTIwMFowcTBvMEowCQYFKw4DAhoFAAQUOeRe
sOOoYcf6Ojlzh2vmH3t9mIYEFPt4TxL5YBWDLJ8XfzQZsy426kGJAhEA/wAAAAAAAAIj8xEIHcyT
V4AB/xcNMTUwODA0MTYwMDAwWqAPFw0xNTA4MDgxNjAwMDBaMA0GCSqGSIb3DQEBCwUAA4IBAQCD
lj3tafEDwvLB1L+UgqnbnjQWnreyGFVOBpgfxZPcCgEFf+uiLMFMj+zpyBlt1jBl2k/TpiSS3Ig7
973tcmTvxRiiTgSAl29AR/M6h/2mWenT/BSqSdP3eTYAxBsd2olO5SXs39w6/GiMDGbHmKS5nckR
f281dmKDKbvgF0ZWuDMJHZcWHsFuVOhyShMLIuuglmMwZgjVTx9m4p2ocPG1P4Di0IVZFpBsGuCN
slh7ASvxzi0qtuwrdDNYvR5rxtxhbY6RhNAM4H/DZNrlWh5vjNzRoTShu8RnjCtKMEJQ+hvVO0sJ
UtrTiFGEf4SD4i5q2dqG9GXY/pNUL1GZRfULoIIDGTCCAxUwggMRMIIB+aADAgECAgkAnPGRLqjV
CQgwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUaGFwcHkgaGFja2VyIGZha2UgQ0EwHhcNMTUw

## revoked-ocsp-bad.txt
MIIFFQoBAKCCBQ4wggUKBgkrBgEFBQcwAQEEggT7MIIE9zCBw6ADAgEAoSEwHzEdMBsGA1UEAwwU
aGFwcHkgaGFja2VyIGZha2UgQ0EYDzIwMTUwODA1MDEwMDAwWjCBhzCBhDBJMAkGBSsOAwIaBQAE
FDnkXrDjqGHH+jo5c4dr5h97fZiGBBT7eE8S+WAVgyyfF380GbMuNupBiQIQAgAAAAAAAuphAwQU
+Gh0+qETMBEYDzIwMTUwODA1MDEwMDAxWhgPMjAxNTA4MDUwMTAwMDBaoBEYDzIwMTUwODA5MDEw
MDAwWjANBgkqhkiG9w0BAQsFAAOCAQEALMijMXaCScLFGUw4AXyrsD05FOJblw9dxDMbmWkedU0D
T8BhrmkMydOEhsRhyjFkX9US/sgyKBby7Myz9nf8uIPXP8MrbV2mfpcLL3GZ3wjChrlDbsJIXmwa
gbEbTpdhHk+REOLL7SPZcvHA0fHp2tux59xUunTmCgGrl/AENfEobtBItMsjlLAjMkLbPXJSeCo3
1jjJ8q8NbELfyXE3RAGxoskuB7FVq/pNcRru3W9eDjzJFdIiAws5tV4S10KhftiocKusWFkPdNOh
UBapEbinFtlSkN5yhVtsCSwupd/geJzyODCaANVhVMb2a3ixhrqV5wIAYylHYTz7c0ys8KCCAxkw
ggMVMIIDETCCAfmgAwIBAgIJAJzxkS6o1QkIMA0GCSqGSIb3DQEBCwUAMB8xHTAbBgNVBAMMFGhh
	$ openssl s_client -starttls smtp -connect mx1.comcast.com:25 -showcerts -CApath /usr/share/ca-certificates/mozilla/
	CONNECTED(00000003)
	depth=0 C = US, postalCode = 19103, ST = PA, L = Philadelphia, street = 1 Comcast Center, O = Comcast Corporation, OU = Hosted by Comcast Corporation, OU = EliteSSL, CN = mx1.comcast.com
	verify error:num=20:unable to get local issuer certificate
	verify return:1
	depth=0 C = US, postalCode = 19103, ST = PA, L = Philadelphia, street = 1 Comcast Center, O = Comcast Corporation, OU = Hosted by Comcast Corporation, OU = EliteSSL, CN = mx1.comcast.com
	verify error:num=27:certificate not trusted
	verify return:1
	depth=0 C = US, postalCode = 19103, ST = PA, L = Philadelphia, street = 1 Comcast Center, O = Comcast Corporation, OU = Hosted by Comcast Corporation, OU = EliteSSL, CN = mx1.comcast.com
	verify error:num=21:unable to verify the first certificate
	DOMAIN=com.example # pre-sanitized
	POLICY_FILE=policy-files/$DOMAIN.json
	git pull
	# retrieve all tags on commits that changed $POLICY_FILE
	# (with the additional constraint that at least one of the tags on each commit should be
	# named like example.com.2014.06.01.serial)
	# the git log output looks like: (tag: tagname1, tag: tagname2, headname1, headname2)
	TAGS=`git log --pretty=%d \| egrep -o "[( ]tag: $DOMAIN[0-9\.]+" \| cut -d":" -f 2`

	for TAG in $TAGS ; do
	var request = require('request');
	function go() {
	request('https://api.twitter.com/robots.txt', function (error, response, body) {
	console.log(body);
	})
	}
	setInterval(go, 1000);
	# mail.example.com should be one of the results of a `dig +short mx example.com`
	# Note that your provider might block all port 25.
	# If STARTTLS header is missing or mangled, but https://starttls.info/ shows example.com as supporting STARTTLS,
	# there might be a downgrade going on.
	(echo EHLO foo ; sleep 3) \| nc mail.example.com 25
	if &diff
	set ro
	map n ]czz
	map p [czz
	map q :qa<CR>
	map Q :cquit<CR>
	set t_Co=256
	set background=dark
	colorscheme peaksea
	endif
	https://github.com/EFForg/https-everywhere/pull/1951 disables 744 rulesets. Here are their filenames, without the .xml:

	Disabled rulesets that contain a hostname matching the Alex top 1k domains:
	Alipay.com
	Kohls
	Udemy.com
	Virtual_News_Center
	William-Hill
	Yandex.com.tr
	Youm7.com
	--
	-- Table structure for table `Actions`
	--

	DROP TABLE IF EXISTS `Actions`;
	/!40101 SET @saved_cs_client = @@character_set_client /;
	/!40101 SET character_set_client = utf8 /;
	CREATE TABLE `Actions` (
	`id` int(11) NOT NULL AUTO_INCREMENT,
	`source_uid` varchar(20) COLLATE utf8mb4_unicode_ci DEFAULT NULL,
	cookie: <div id=cookie> </div>
	<? setcookie('c', rand()) ?>
	<script type="text/javascript" >
	function reqListener () {
	console.log(document.cookie);
	document.getElementById('cookie').innerHTML = document.cookie;
	}

	function fetch() {
	var oReq = new XMLHttpRequest();
	MIIE/AoBAKCCBPUwggTxBgkrBgEFBQcwAQEEggTiMIIE3jCBqqADAgEAoSEwHzEdMBsGA1UEAwwU
	aGFwcHkgaGFja2VyIGZha2UgQ0EXDTE1MDgwNDE2MTIwMFowcTBvMEowCQYFKw4DAhoFAAQUOeRe
	sOOoYcf6Ojlzh2vmH3t9mIYEFPt4TxL5YBWDLJ8XfzQZsy426kGJAhEA/wAAAAAAAAIj8xEIHcyT
	V4AB/xcNMTUwODA0MTYwMDAwWqAPFw0xNTA4MDgxNjAwMDBaMA0GCSqGSIb3DQEBCwUAA4IBAQCD
	lj3tafEDwvLB1L+UgqnbnjQWnreyGFVOBpgfxZPcCgEFf+uiLMFMj+zpyBlt1jBl2k/TpiSS3Ig7
	973tcmTvxRiiTgSAl29AR/M6h/2mWenT/BSqSdP3eTYAxBsd2olO5SXs39w6/GiMDGbHmKS5nckR
	f281dmKDKbvgF0ZWuDMJHZcWHsFuVOhyShMLIuuglmMwZgjVTx9m4p2ocPG1P4Di0IVZFpBsGuCN
	slh7ASvxzi0qtuwrdDNYvR5rxtxhbY6RhNAM4H/DZNrlWh5vjNzRoTShu8RnjCtKMEJQ+hvVO0sJ
	UtrTiFGEf4SD4i5q2dqG9GXY/pNUL1GZRfULoIIDGTCCAxUwggMRMIIB+aADAgECAgkAnPGRLqjV
	CQgwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUaGFwcHkgaGFja2VyIGZha2UgQ0EwHhcNMTUw
	MIIFFQoBAKCCBQ4wggUKBgkrBgEFBQcwAQEEggT7MIIE9zCBw6ADAgEAoSEwHzEdMBsGA1UEAwwU
	aGFwcHkgaGFja2VyIGZha2UgQ0EYDzIwMTUwODA1MDEwMDAwWjCBhzCBhDBJMAkGBSsOAwIaBQAE
	FDnkXrDjqGHH+jo5c4dr5h97fZiGBBT7eE8S+WAVgyyfF380GbMuNupBiQIQAgAAAAAAAuphAwQU
	+Gh0+qETMBEYDzIwMTUwODA1MDEwMDAxWhgPMjAxNTA4MDUwMTAwMDBaoBEYDzIwMTUwODA5MDEw
	MDAwWjANBgkqhkiG9w0BAQsFAAOCAQEALMijMXaCScLFGUw4AXyrsD05FOJblw9dxDMbmWkedU0D
	T8BhrmkMydOEhsRhyjFkX9US/sgyKBby7Myz9nf8uIPXP8MrbV2mfpcLL3GZ3wjChrlDbsJIXmwa
	gbEbTpdhHk+REOLL7SPZcvHA0fHp2tux59xUunTmCgGrl/AENfEobtBItMsjlLAjMkLbPXJSeCo3
	1jjJ8q8NbELfyXE3RAGxoskuB7FVq/pNcRru3W9eDjzJFdIiAws5tV4S10KhftiocKusWFkPdNOh
	UBapEbinFtlSkN5yhVtsCSwupd/geJzyODCaANVhVMb2a3ixhrqV5wIAYylHYTz7c0ys8KCCAxkw
	ggMVMIIDETCCAfmgAwIBAgIJAJzxkS6o1QkIMA0GCSqGSIb3DQEBCwUAMB8xHTAbBgNVBAMMFGhh