Re: [nse] ssl-cert: add support for Google Certificate Catalog

[Fyodor <fyodor () insecure org>]

On Sat, Sep 10, 2011 at 09:27:41PM +0400, Vasiliy Kulikov wrote:
> Hi,
>
> The patch introduces support for Google Certificate Catalog:

Thanks Vasiliy.  This is a neat new Google feature that I hadn't heard
of.  Regarding your patch, I have a few suggestions:

o Overloading nmap.verbosity to enable this feature is problematic.
  It means that if users want to disable this Google DNS query
  feature, they need to give up on -v for their whole scan.  Instead
  there should probably be a separate NSE arg for enabling this
  functionality.  The default should probably be disabled.
  Alternatively, it could be moved into its own script.  In that case,
  you might be able to depend on ssl-cert and have ssl-cert cache the
  certificate so you don't need to retrieve it again in cases where
  ssl-cert has already done so.

o The nsedoc will need to be updated to note the new functionality.

o Normally, scripts which query 3rd parties need to go into the
  "external" category and are ineligible for the "default" category.
  But I don't think "external" is required as long as this is an
  optional feature which is only done if the user specifies a
  particular nsearg, and as long as that argument documentation
  clearly specifies that we are querying a Google DNS server.

Cheers,
Fyodor
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/