On 09.09.25 09:25, Kamil Mankowski via IntelMQ-dev wrote:
I belive it could match both categories, so the question to others - what suits better from the operators' perspective?
I think "weak-crypto" perfectly fits here and the classification.type should also be changed to "weak-crypto" for ssl-poodle and ssl-freak.
"extra.http_server_version", "server", "validate_to_none"
The value of "server" is not only a version number but also includes the product name (like Apache or nginx). So how about writing this to "extra.http_server" (without "_version")?
Btw, I think the term "product" is quite confusing here. While the authors of the badsecrets library use it for "cryptographic product" I think most people will associate the name of an affected product like "Django" or "Rails" with "product".
So I wonder if something like "extra.badsecret_value" would be a better place to store the value of "badsecret_product" to avoid confusions?
I also wonder why the value of "badsecret_secret" is empty in most cases in the reports. Shouldn't this value always be available if a known secret has been detected?
- Thomas