New certificate search tool - crt.sh

[Rob Stradling]

Hi. I thought folks here might find this useful. It's a web interface
that lets you search for certs that have been logged by CT.

https://crt.sh

Pronounced "search". :-)

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

[Eric Mill]

This is outstanding - simple, but totally what people need to start getting
the idea and benefit of CT.

One high ROI addition might be RSS feeds for search terms. That way, I
could create e.g. an IFTTT alert that emails me whenever a certificate is
publicly logged as being issued for my domains.

-- Eric

On Wed, Jun 3, 2015 at 8:56 AM, Rob Stradling <rob.st...@comodo.com>
wrote:

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



--
konklone.com | @konklone <https://twitter.com/konklone>

[Rob Stradling]

On 03/06/15 14:43, Eric Mill wrote:
> This is outstanding - simple, but totally what people need to start
> getting the idea and benefit of CT.

Thanks Eric. :-)

> One high ROI addition might be RSS feeds for search terms. That way, I
> could create e.g. an IFTTT alert that emails me whenever a certificate
> is publicly logged as being issued for my domains.

Indeed. It's on the todo list.

[Richard Barnes]

+1 to Eric's praise. Nice idea. Even better if you were to
open-source the code ;)

David Keeler has done some work on visualizing certs that may be helpful.
http://people.mozilla.org/~dkeeler/certsplainer/
https://github.com/mozkeeler/certsplainer

I notice that % is your wildcard character. Hopefully this doesn't
indicate a SQL injection risk!

Sent from my iPhone. Please excuse brevity.

[Rob Stradling]

On 03/06/15 16:15, Richard Barnes wrote:
> +1 to Eric's praise. Nice idea.

Thanks Richard. :-)

> Even better if you were to open-source the code ;)

That's a conversation I've yet to have with my employer.

> David Keeler has done some work on visualizing certs that may be helpful.
> http://people.mozilla.org/~dkeeler/certsplainer/
> https://github.com/mozkeeler/certsplainer

I'll take a look. Thanks.

> I notice that % is your wildcard character. Hopefully this doesn't
> indicate a SQL injection risk!

What sort of SQL injection risk are you concerned about?

http://en.wikipedia.org/wiki/SQL_injection
"SQL injection is a code injection technique, used to attack data-driven
applications, in which malicious SQL statements are inserted into an
entry field for execution (e.g. to dump the database contents to the
attacker)"

"to dump the database" is kinda the point of crt.sh. :-)

All of the data is already public (in the CT logs). I would happily
permit searches for "?q=%25" if I had unlimited bandwidth and server
performance. (Currently any search that's still running after a minute
or two is automatically killed).

Also, the database used by https://crt.sh is a read-only slave, so even
if you could inject something like "DROP TABLE certificate", it would
fail to execute.

Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.

[Eric Mill]

On Wed, Jun 3, 2015 at 11:46 AM, Rob Stradling <rob.st...@comodo.com>
wrote:

> Even better if you were to open-source the code ;)
>>
>
> That's a conversation I've yet to have with my employer.

Strongly agree. The impact of crt.sh will be bigger, and its momentum will
be higher for potential public contributions. And if we're talking about
infrastructure in the service of public good, the more open source the
better. Don't let concerns over code quality get in the way.

I notice that % is your wildcard character. Hopefully this doesn't
>>
> indicate a SQL injection risk!
>>
>

> Also, the database used by https://crt.sh is a read-only slave, so even
> if you could inject something like "DROP TABLE certificate", it would fail
> to execute.

It's still probably worth verifying that people can't insert arbitrary SQL
commands, even if some of them that you've thought of are unlikely to work
in practice.

-- Eric

[Rob Stradling]

On 03/06/15 18:02, Eric Mill wrote:
>
> On Wed, Jun 3, 2015 at 11:46 AM, Rob Stradling <rob.st...@comodo.com
> <mailto:rob.st...@comodo.com>> wrote:
>
> Even better if you were to open-source the code ;)
>
> That's a conversation I've yet to have with my employer.
>
> Strongly agree. The impact of crt.sh will be bigger, and its momentum
> will be higher for potential public contributions. And if we're talking
> about infrastructure in the service of public good, the more open source
> the better. Don't let concerns over code quality get in the way.

It's a conversation I intend to have with my employer. :-)

> I notice that % is your wildcard character. Hopefully this doesn't
> indicate a SQL injection risk!
>
> Also, the database used by https://crt.sh is a read-only slave, so
> even if you could inject something like "DROP TABLE certificate", it
> would fail to execute.
>
> It's still probably worth verifying that people can't insert arbitrary
> SQL commands, even if some of them that you've thought of are unlikely
> to work in practice.

Sure. I verified that before I announced the site this morning. And I
double-checked it after Richard's post. (But of course I only have one
set of eyeballs... ;-) ).

> -- Eric
>
>
>
> Sent from my iPhone. Please excuse brevity.
>
> On Jun 3, 2015, at 10:01, Rob Stradling

> <rob.st...@comodo.com <mailto:rob.st...@comodo.com>>

> wrote:
>
> On 03/06/15 14:43, Eric Mill wrote:
> This is outstanding - simple, but totally what people
> need to start
> getting the idea and benefit of CT.
>
>
> Thanks Eric. :-)
>
> One high ROI addition might be RSS feeds for search
> terms. That way, I
> could create e.g. an IFTTT alert that emails me whenever
> a certificate
> is publicly logged as being issued for my domains.
>
>
> Indeed. It's on the todo list.
>
> -- Eric
>
> On Wed, Jun 3, 2015 at 8:56 AM, Rob Stradling
> <rob.st...@comodo.com <mailto:rob.st...@comodo.com>

> <mailto:rob.st...@comodo.com

> <mailto:rob.st...@comodo.com>>> wrote:
>
> Hi. I thought folks here might find this useful.
> It's a web
> interface that lets you search for certs that have
> been logged by CT.
>
> https://crt.sh
>
> Pronounced "search". :-)
>
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org

> <mailto:dev-secur...@lists.mozilla.org>

> https://lists.mozilla.org/listinfo/dev-security-policy
>
>
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online

> Office Tel: +44.(0)1274.730505 <tel:%2B44.%280%291274.730505>
> Office Fax: +44.(0)1274.730909 <tel:%2B44.%280%291274.730909>
> www.comodo.com <http://www.comodo.com>

>
> COMODO CA Limited, Registered in England No. 04058690
> Registered Office:
> 3rd Floor, 26 Office Village, Exchange Quay,
> Trafford Road, Salford, Manchester M5 3EQ
>
> This e-mail and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please
> notify the sender by replying to the e-mail containing this
> attachment. Replies to this email may be monitored by COMODO for
> operational or business reasons. Whilst every endeavour is taken to
> ensure that e-mails are free from viruses, no liability can be
> accepted and the recipient is requested to use their own virus
> checking software.
>
>
>
>
> --

> konklone.com <https://konklone.com> | @konklone
> <https://twitter.com/konklone>

[Chris Palmer]

This is sweet. Thank you, Rob. :)

On Wed, Jun 3, 2015 at 5:56 AM, Rob Stradling <rob.st...@comodo.com> wrote:
> Hi. I thought folks here might find this useful. It's a web interface that
> lets you search for certs that have been logged by CT.
>
> https://crt.sh
>
> Pronounced "search". :-)
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org

> https://lists.mozilla.org/listinfo/dev-security-policy

[Rob Stradling]

Thanks Chris. :-)

[Hubert Kario]

On Wednesday 03 June 2015 09:43:23 Eric Mill wrote:
> This is outstanding - simple, but totally what people need to start getting
> the idea and benefit of CT.
>

> One high ROI addition might be RSS feeds for search terms. That way, I
> could create e.g. an IFTTT alert that emails me whenever a certificate is
> publicly logged as being issued for my domains.
>

> -- Eric

+1 on the awesome tool

and I would like to propose to extend the RSS to a general web API (JSON)

> On Wed, Jun 3, 2015 at 8:56 AM, Rob Stradling <rob.st...@comodo.com>

>
> wrote:
> > Hi. I thought folks here might find this useful. It's a web interface
> > that lets you search for certs that have been logged by CT.
> >
> > https://crt.sh
> >
> > Pronounced "search". :-)
> >
> > --
> > Rob Stradling
> > Senior Research & Development Scientist
> > COMODO - Creating Trust Online
> >

> > _______________________________________________
> > dev-security-policy mailing list
> > dev-secur...@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-security-policy

--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

[Hubert Kario]

[Rob Stradling]

On 08/06/15 14:54, Hubert Kario wrote:
> On Wednesday 03 June 2015 09:43:23 Eric Mill wrote:
>> This is outstanding - simple, but totally what people need to start getting
>> the idea and benefit of CT.
>>
>> One high ROI addition might be RSS feeds for search terms. That way, I
>> could create e.g. an IFTTT alert that emails me whenever a certificate is
>> publicly logged as being issued for my domains.
>>
>> -- Eric
>
> +1 on the awesome tool

Thanks Hubert. :-)

> and I would like to propose to extend the RSS to a general web API (JSON)

Makes sense. I've added this to my to-do list.

[Rob Stradling]

On 08/06/15 15:09, Rob Stradling wrote:
> On 08/06/15 14:54, Hubert Kario wrote:
>> On Wednesday 03 June 2015 09:43:23 Eric Mill wrote:
>>> This is outstanding - simple, but totally what people need to start
>>> getting
>>> the idea and benefit of CT.
>>>
>>> One high ROI addition might be RSS feeds for search terms. That way, I
>>> could create e.g. an IFTTT alert that emails me whenever a
>>> certificate is
>>> publicly logged as being issued for my domains.
>>>
>>> -- Eric
>>
>> +1 on the awesome tool
>
> Thanks Hubert. :-)
>
>> and I would like to propose to extend the RSS to a general web API (JSON)
>
> Makes sense. I've added this to my to-do list.

Hubert, I think a standard API for interfacing with CT monitors would be
a bigger win than an API that's specific to https://crt.sh. See the
message I just posted to the "CA scope transparency" thread.

[Hubert Kario]

On Tuesday 09 June 2015 10:53:37 Rob Stradling wrote:
> On 08/06/15 15:09, Rob Stradling wrote:
> > On 08/06/15 14:54, Hubert Kario wrote:
> >> On Wednesday 03 June 2015 09:43:23 Eric Mill wrote:
> >>> This is outstanding - simple, but totally what people need to start
> >>> getting
> >>> the idea and benefit of CT.
> >>>
> >>> One high ROI addition might be RSS feeds for search terms. That way, I
> >>> could create e.g. an IFTTT alert that emails me whenever a
> >>> certificate is
> >>> publicly logged as being issued for my domains.
> >>>
> >>> -- Eric
> >>
> >> +1 on the awesome tool
> >
> > Thanks Hubert. :-)
> >
> >> and I would like to propose to extend the RSS to a general web API (JSON)
> >
> > Makes sense. I've added this to my to-do list.
>
> Hubert, I think a standard API for interfacing with CT monitors would be
> a bigger win than an API that's specific to https://crt.sh. See the
> message I just posted to the "CA scope transparency" thread.

I agree, but we need to start from somewhere.

and starting with a versioned API, that is precisely defined and documented,
on the crt.sh website would be, IMHO, a good way to do that

> >>> On Wed, Jun 3, 2015 at 8:56 AM, Rob Stradling <rob.st...@comodo.com>
> >>>
> >>> wrote:
> >>>> Hi. I thought folks here might find this useful. It's a web interface
> >>>> that lets you search for certs that have been logged by CT.
> >>>>
> >>>> https://crt.sh
> >>>>
> >>>> Pronounced "search". :-)

--

[Rob Stradling]

On 03/06/15 16:46, Rob Stradling wrote:
> On 03/06/15 16:15, Richard Barnes wrote:

<snip>

>> David Keeler has done some work on visualizing certs that may be helpful.
>> http://people.mozilla.org/~dkeeler/certsplainer/
>> https://github.com/mozkeeler/certsplainer
>
> I'll take a look. Thanks.

Hi Richard. I've been looking at certsplainer. There seem to be no
limits on what you can do with JavaScript these days!

BTW, https://crt.sh now has a certificate ASN.1 dump feature, powered by
asn1js. :-)

[Rob Stradling]

On 10/06/15 12:17, Hubert Kario wrote:
> On Tuesday 09 June 2015 10:53:37 Rob Stradling wrote:
>> On 08/06/15 15:09, Rob Stradling wrote:
>>> On 08/06/15 14:54, Hubert Kario wrote:
>>>> On Wednesday 03 June 2015 09:43:23 Eric Mill wrote:
>>>>> This is outstanding - simple, but totally what people need to start
>>>>> getting the idea and benefit of CT.
>>>>>
>>>>> One high ROI addition might be RSS feeds for search terms. That way, I
>>>>> could create e.g. an IFTTT alert that emails me whenever a
>>>>> certificate is publicly logged as being issued for my domains.
>>>>>
>>>>> -- Eric
>>>>
>>>> +1 on the awesome tool
>>>
>>> Thanks Hubert. :-)
>>>
>>>> and I would like to propose to extend the RSS to a general web API (JSON)
>>>
>>> Makes sense. I've added this to my to-do list.
>>
>> Hubert, I think a standard API for interfacing with CT monitors would be
>> a bigger win than an API that's specific to https://crt.sh. See the
>> message I just posted to the "CA scope transparency" thread.
>
> I agree, but we need to start from somewhere.
>
> and starting with a versioned API, that is precisely defined and documented,
> on the crt.sh website would be, IMHO, a good way to do that

Hi Hubert. I just posted this:

http://www.ietf.org/mail-archive/web/trans/current/msg01204.html

[Rob Stradling]

On 03/06/15 19:48, Rob Stradling wrote:
> On 03/06/15 18:02, Eric Mill wrote:
>>
>> On Wed, Jun 3, 2015 at 11:46 AM, Rob Stradling <rob.st...@comodo.com
>> <mailto:rob.st...@comodo.com>> wrote:
>>
>> Even better if you were to open-source the code ;)
>>
>> That's a conversation I've yet to have with my employer.
>>
>> Strongly agree. The impact of crt.sh will be bigger, and its momentum
>> will be higher for potential public contributions. And if we're talking
>> about infrastructure in the service of public good, the more open source
>> the better. Don't let concerns over code quality get in the way.
>
> It's a conversation I intend to have with my employer. :-)

Richard, Eric,

We had that conversation and...

https://github.com/crtsh

[Eric Mill]

That's fantastic news, Rob! Congratulations on getting the code that
supports crt.sh out there, and for taking the time to split it out into
little helpful modules. I hope me or my team will get to use it, and I'll
definitely be pointing folks working on CT over to your repos!

On Mon, Sep 7, 2015 at 9:05 AM, Rob Stradling <rob.st...@comodo.com>
wrote:

[Rob Stradling]

Thanks Eric. :-)

It really is just the code at the moment. Documentation lacking. But
hey, gotta start somewhere. :-)

> konklone.com <https://konklone.com> | @konklone
> <https://twitter.com/konklone>