By Benjamin W. Broersma, developer in the team of Open State Foundation since July 2018.
With Pulse we monitor the state of HTTPS in the public sector. In the last update of August there were no big changes. Yesterday however, I got a SSL error when visiting sidn.nl and beta.overheid.nl (SIDN changed their certificate a few hours after notification). This is due to some changes in Chrome and Firefox which both will distrust Symantec SSL certificates over the next weeks (including the brand names GeoTrust, RapidSSL and thawte). This decision was announced long in advance and did not yet make big headlines, in contrast with the DigiNotar incident, although this time it concerns a way larger player in the market.
The code
Following these SSL errors I wondered how many public sector HTTPS websites were still using old Symantec SSL certificates. Using the domain name lists of Pulse, it’s easy to make a (poor-man’s Pulse) quick scan:
curl -sSf 'https://pulse.openstate.eu/data/domains/https.csv' | csvjson | jq '.[].URL|select(.[0:8]=="https://")|.[8:]' -r | xargs -P 20 -I% bash -c 'echo|timeout 5 openssl s_client -connect "%" -servername "%" -port 443 2>/dev/null | grep -E "^issuer=.*/O=(GeoTrust|thawte|Symantec)"|sed "s/^/%\t/"' # needed packages: curl jq python3-csvkit openssl
Quick Scan results
Below you can find the list with 100 domain names that still have to change their SSL certificate, and in the next week the beta users of Chrome & Firefox browsers will see SSL errors when trying to visit there sites. The list is a snapshot taken on Monday 27 August 2018, it could be that some sites changed their SSL certificate in the mean time. Both SSL Labs Server Test and Chrome Developer tools give notice of Symantec SSL certificates, or test the website in Firefox nightly or Chrome canary.
Government
hetzorgverhaal.nl lintjes.nl rudnhn.nl www.ameland.nl www.bsgw.nl www.bsr.nl www.bunnik.nl www.capelleaandenijssel.nl www.heemskerk.nl www.ikdoemee.nl* www.kansspelautoriteit.nl www.landerd.nl* www.mijnnfi.nl www.portofamsterdam.com www.schiermonnikoog.nl* www.staatsbosbeheer.nl www.vechtstromen.nl
Heathcare
advisium.sheerenloo.nl allerzorg.nl de-tandarts.net* dental-center.nl dietistenmetsmaak.nl dietisthilversum.nl empathon.nl huisartsenijsselmuiden.nl huisartspraktijkmozaiek.nl libranet.nl medischcentrumaj.nl natuurlijkbeter.com nl.boots.com psychopraktijkdronten.nl rijndam.nl spaarnegasthuis.nl www.amaris.nl www.bergmanclinics.nl www.burgenvanriel.nl www.davincikliniek.nl www.fysio-debleek.nl www.fysiotherapiehavenstraat.nl www.fysiotherapierijnmond.nl www.fysiotherapiewaldeck.nl www.herlaarhof.nl www.jeugdformaat.nl www.kinderfysiotherapie-emmen.nl www.noorderbrug.nl www.pkzkraamzorg.com www.pro-f.nl www.revant.nl www.sheerenloo.nl www.sintlucasandreasziekenhuis.nl www.spierziekten.nl www.tandinzicht.nl www.travelclinic.com www.vosonline.net www.vvaa.nl www.zorggroepreinalda.nl www.zuidzorg.nl www.zuwehofpoort.nl zeelandcare.com
Education
hotelschool.nl vanlodenstein.nl www.csdehoven.nl www.derooipannen.nl delinde.dse.nl kameleon.dse.nl www.dse.nl diamant.pcboapeldoorn.nl emma.pcboapeldoorn.nl gong.pcboapeldoorn.nl ichthus.pcboapeldoorn.nl kompas.pcboapeldoorn.nl kring.pcboapeldoorn.nl kws.pcboapeldoorn.nl ploeg.pcboapeldoorn.nl terebint.pcboapeldoorn.nl antoniusaxel.ogperspecto.nl bsclinge.ogperspecto.nl debrug.ogperspecto.nl degeule.ogperspecto.nl dekameleon.ogperspecto.nl dekreeke.ogperspecto.nl deschakel.ogperspecto.nl destatie.ogperspecto.nl dewereldboom.ogperspecto.nl heidepoort.ogperspecto.nl hetmozaiek.ogperspecto.nl inghelosenberghe.ogperspecto.nl irisschool.ogperspecto.nl laureyn.ogperspecto.nl marijkeschool.ogperspecto.nl meerpaal.ogperspecto.nl oostvogel.ogperspecto.nl opweg.ogperspecto.nl stjozef.ogperspecto.nl terdoest.ogperspecto.nl tgetij.ogperspecto.nl tgeuzennest.ogperspecto.nl tvogelnest.ogperspecto.nl twijn.ogperspecto.nl vlaswiek.ogperspecto.nl
* between the initial scan and checking of the command, these sites already changed their certificate (4 out of 100)
| Date | Release |
| 2018-06-25 | First Nightly Firefox 63 |
| 2018-08-14 | First Canary Chrome 70 (dev-channel) |
| 2018-09-05 | First Beta Firefox 63 |
| 2018-09-13 | First Beta Chrome 70 |
| 2018-10-16 | Chrome 70 release |
| 2018-10-23 | Firefox 63 release |