HIGH · safety

Oil Industry Safety Directorate

Cert CN mismatch (CN=www, apex unmatched); cert expires 2026-05-17; 0/6 hardening headers

oisd.gov.inbaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 42

Availability

HTTP 404

TLS

2026-12-03 · 173d

Headers

6 missing · 0 permissive

Email auth

SPF strict · DMARC reject

36

Security score

Critical

Headline findings

  • 01Cert CN/SAN mismatch — CN=www.oisd.gov.in but apex unmatched
  • 02Cert expires 2026-05-17 (19 days)
  • 03Zero standard hardening headers (0/6)
  • 04Broken SPF (-all rejects all senders, no DMARC recovery path)

Urgent · time-bound actions

  • -27dRotate TLS certificate before May 17 + correct CN/SAN to cover apex2026-05-17
  • -13dAdd HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy headers2026-05-31
  • -29dFix SPF: include actual mail infrastructure or set neutral if no mail sent from domain2026-05-15

TLS security

warn

Issuer
DigiCert Inc
Expires
2026-12-03(173d)

TLS validation warning: ERR_TLS_CERT_ALTNAME_INVALID

Email authentication

SPF
strict
DKIM
unknown
DMARC
reject

Hardening headers

0 / 0 / 6present/permissive/missing

  • HSTSmissing
  • CSPmissing
  • X-Framemissing
  • X-Content-Typemissing
  • Referrer-Policymissing
  • Permissions-Policymissing

Lookalike domains

  • oisd.com76.223.54.146 (third-party)

Public topology · CT logs

0 total

No subdomains in CT logs — minimal external attack surface.

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

OISD is fragile across three dimensions — imminent cert expiry (19 days), broken email authentication, and Apache 2.2.15 EOL with 8+ years of unpatched CVEs. What is the incident response if cert renewal fails on 2026-05-17?

Active fingerprints · per host

  • oisd.gov.inEOL × 3

    Apache server; apex 404; www subdomain serves

    • IMMINENT cert expiry; CN/SAN mismatch — apex returns browser warning
    • Apex CSP permissive (unsafe-inline/eval)
    • 0/6 hardening headers on apex
  • connect.oisd.gov.inEOL × 1

    Apache 2.2.15 (Red Hat) — EOL since 2017

    • Apache 2.2.15 EOL since 2017 — 8+ years of unpatched CVEs

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path A: Cert expiry → phishing chain (19 days to impact)

effort
detect low (bad)
Entry
Cert expires 2026-05-17. CN/SAN mismatch already triggers warnings on apex. After expiry, all subdomains warn.
Pivot
Users dismiss warnings (trained behaviour). Attacker MITMs on apex with rogue cert.
Objective
Credential interception during a known-warning window.
#1

Path B: Email spoofing via broken SPF (-all without senders) + absent DMARC

effort hours
detect low (bad)
Entry
SPF v=spf1 -all rejects all senders unless DMARC has recovery; DMARC absent.
Pivot
Combined with absent DMARC, attacker spoofs @oisd.gov.in unimpeded.
Objective
Phishing with trusted government safety entity branding.
#1

Path C: Apache 2.2.15 EOL — unpatched RCE on connect subdomain

effort days
detect medium
Entry
Apache 2.2.15 EOL since 2017. Dozens of cumulative CVEs in mod_ssl, mod_proxy, mod_rewrite.
Pivot
Endpoint returns 403 — restricted but reachable; if any auth path or known-CVE chain succeeds, RCE.
Objective
Server compromise; lateral move to OISD internal network.
#3

Path D: Subdomain enumeration → potential takeover

effort hours
detect low (bad)
Entry
CT logs reveal connect.oisd.gov.in and www.connect.oisd.gov.in.
Pivot
If DNS points to deprovisioned cloud and entry not removed, subdomain takeover.
Objective
Phishing with valid TLS via takeover.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · Cert expiry → phishing chain (19 days to impact)
factor ~5–10×
pre-AI
Cert expiry → browser warnings → phishing baseline
Mythos
AI-augmented attacker pre-stages rogue cert + DNS hijack timed to expiry minute
Path C · Apache 2.2.15 EOL — unpatched RCE on connect subdomain
factor ~10–20×
pre-AI
Apache 2.2.15 EOL exposes unpatched RCE surface
Mythos
AI maps 8 years of CVEs against the live config and surfaces the most likely exploitable chain in minutes

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    EMERGENCY: Rotate TLS cert before 2026-05-17 with apex SAN coverage

    Host
    oisd.gov.in
    Fix
    Renew cert. Ensure SAN includes BOTH apex (oisd.gov.in) AND www. Re-issue if current cert only covers www. Validate apex serves 200 OK post-renewal.
    Owner
    OISD TLS Admin
    Validation
    openssl s_client | x509 -noout -ext subjectAltName shows both apex and www
  • critical

    Fix broken SPF — add real includes or set neutral

    Host
    oisd.gov.in (email)
    Fix
    Replace 'v=spf1 -all' with 'v=spf1 include:<actual mail provider> -all'. If domain doesn't send mail, document and keep -all but pair with DMARC p=reject for clarity.
    Owner
    OISD IT / Email
    Validation
    Legitimate mail from approved senders delivers; spoofed mail bounces
  • critical

    Publish DMARC record — start p=quarantine, escalate to p=reject

    Host
    oisd.gov.in (email)
    Fix
    DMARC: 'v=DMARC1; p=quarantine; rua=mailto:dmarc@oisd.gov.in; fo=1'. Monitor 2 weeks; escalate to p=reject.
    Owner
    OISD IT / Email
    Validation
    dig +short TXT _dmarc.oisd.gov.in returns DMARC1
  • critical

    Apache 2.2.15 — upgrade to 2.4.62+ or migrate to nginx reverse proxy

    Host
    connect.oisd.gov.in
    CVE
    Multiple unpatched (Apache 2.2.x EOL 2017)
    Fix
    (a) In-place upgrade to Apache 2.4.62+ with regression testing OR (b) Deploy nginx 1.26+ in reverse-proxy mode pointing to hardened backend. Test connect endpoint thoroughly.
    Owner
    OISD Infrastructure
    Validation
    curl -sI connect.oisd.gov.in | grep Server shows Apache 2.4.62+ or nginx

Tier 2 · within 30 days

  • high

    Harden CSP — remove unsafe-inline and unsafe-eval

    Host
    oisd.gov.in
    Fix
    Nonce-based CSP for inline scripts.
    Owner
    OISD Web Ops
    Validation
    curl -i shows CSP without unsafe-inline/eval
  • high

    Add the missing 6 hardening headers on apex

    Host
    oisd.gov.in
    Fix
    HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
    Owner
    OISD Web Ops
    Validation
    securityheaders.com returns A or A+
  • high

    Subdomain inventory + takeover prevention

    Host
    *.oisd.gov.in
    Fix
    For each CT-logged subdomain, verify DNS points to owned infra. Remove dangling CNAMEs. Implement CT monitoring.
    Owner
    OISD Infrastructure
    Validation
    Official subdomain register; monthly CT cross-check

Tier 3 · within 90 days

  • medium

    Reverse proxy / WAF deployment

    Host
    OISD edge
    Fix
    ModSecurity OWASP CRS or Cloudflare. Block traversal, SQLi, mod_rewrite exploit patterns.
    Owner
    Security Operations
    Validation
    WAF testing: CVE PoC payloads return 403
  • medium

    Apache deprecation roadmap for entire OISD estate

    Host
    OISD-wide
    Fix
    Document timeline to retire all Apache 2.2.x and migrate to supported versions.
    Owner
    OISD CISO
    Validation
    Migration plan filed with target dates

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.