New CT Log Monitoring Tool: MerkleMap.com

1,246 views
Skip to first unread message

Pierre Barre

unread,
Sep 4, 2024, 8:27:31 AM9/4/24
to certificate-transparency

Hi there,

I'm writing to share a new project that may be of interest to this community. I recently launched https://www.merklemap.com/, a tool designed to leverage Certificate Transparency logs for enhanced domain monitoring.

Key features of MerkleMap:

  1. Near real-time ingestion of CT logs
  2. Full-string subdomain search capability
  3. Support for an arbitrary number of wildcards in searches

While the current functionality focuses on subdomain discovery, I'm planning to expand MerkleMap into a comprehensive CT log monitor over time. Future features may include:

  • Alerts for new certificate issuances
  • Historical certificate data analysis
  • Integration with other security tools

I welcome any feedback or feature suggestions from the group. If you have a moment to try out the tool, I'd be particularly interested in hearing your thoughts on its performance and usability.

Thank you for your time and consideration.

Philippe Boneff

unread,
Sep 4, 2024, 8:50:33 AM9/4/24
to certificate-...@googlegroups.com
Hi Pierre,

I welcome any feedback or feature suggestions from the group. If you have a moment to try out the tool, I'd be particularly interested in hearing your thoughts on its performance and usability.
It looks very sleek, and it's fast. I've just poked around a bit, and found it very easy to use. Congrats on launching!

I'm just wondering, what logs does it get data from? Maybe it could be listed somewhere?
Even more interesting would be in which certificate and/or log the domains have been observed, but as you say, this version focuses on subdomain discovery. Is this something that you're planning on adding with Historical certificate data analysis?

Cheers,
Philippe

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/d4267d40-a58d-4cda-a1a7-1f12138a080an%40googlegroups.com.

Bas Westerbaan

unread,
Sep 4, 2024, 8:53:51 AM9/4/24
to certificate-...@googlegroups.com
Great to see another monitor in the ecosystem, and the UI feels great. Are you also following the static ct logs?

To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/CAOzAejS1MxXzAdXFL6ztL7TUJKDUXUKA7VXwi03BvkkeB1eUww%40mail.gmail.com.

Pierre Barre

unread,
Sep 4, 2024, 9:10:02 AM9/4/24
to certificate-transparency

Hi Philippe,

Thank you for your quick feedback and questions about the tool. I'm glad to hear you found it nice.

Regarding your questions:

  1. Data Sources:  I'm planning to build a dedicated page that will display all the monitored logs, as well as show any "drift" in the data
  2. Current Logs: The tool currently pulls data from the logs at the bottom of this email. Basically anything that was active when I started to write the tool. New logs are inserted dynamically from the all_logs google endpoint.
  3. Historical Certificate Data Analysis: You've hit the nail on the head – this is indeed something I'm planning to incorporate. The good news is that we're already storing full certificates and have normalized the data. Adding this functionality is mostly a matter of display work at this point.

Thank you again,

Pierre

"Sectigo 'Mammoth2024h1b'" https://mammoth2024h1b.ct.sectigo.com/

"Let's Encrypt 'Oak2024H1' log" https://oak.ct.letsencrypt.org/2024h1/
"Sectigo 'Sabre2024h1'" https://sabre2024h1.ct.sectigo.com/
"DigiCert 'Sphinx2025h1' Log" https://sphinx.ct.digicert.com/2025h1/
"Let's Encrypt 'Oak2025h1'" https://oak.ct.letsencrypt.org/2025h1/
"DigiCert 'Sphinx2024h2' Log" https://sphinx.ct.digicert.com/2024h2/
"DigiCert 'Wyvern2024h2' Log" https://wyvern.ct.digicert.com/2024h2/
"Let's Encrypt 'Oak2025h2'" https://oak.ct.letsencrypt.org/2025h2/
"Let's Encrypt 'Oak2024H2' log" https://oak.ct.letsencrypt.org/2024h2/
"Sectigo 'Sabre2024h2'" https://sabre2024h2.ct.sectigo.com/
"Sectigo 'Sabre2025h1'" https://sabre2025h1.ct.sectigo.com/
"DigiCert 'Wyvern2025h2' Log" https://wyvern.ct.digicert.com/2025h2/
"DigiCert 'Wyvern2025h1' Log" https://wyvern.ct.digicert.com/2025h1/
"Cloudflare 'Nimbus2024' Log" https://ct.cloudflare.com/logs/nimbus2024/
"DigiCert 'Sphinx2025h2' Log" https://sphinx.ct.digicert.com/2025h2/
"Sectigo 'Mammoth2024h2'" https://mammoth2024h2.ct.sectigo.com/
"Sectigo 'Mammoth2025h1'" https://mammoth2025h1.ct.sectigo.com/
"Sectigo 'Mammoth2025h2'" https://mammoth2025h2.ct.sectigo.com/
"Sectigo 'Sabre2025h2'" https://sabre2025h2.ct.sectigo.com/
You received this message because you are subscribed to a topic in the Google Groups "certificate-transparency" group.
To unsubscribe from this group and all its topics, send an email to certificate-transp...@googlegroups.com.

Pierre Barre

unread,
Sep 4, 2024, 9:13:39 AM9/4/24
to certificate-transparency
Hi Bas,

Thank you for your feedback.

Regarding your question about "static CT logs," I assume you're referring to logs that are no longer being actively updated? To clarify:

The list of logs monitored by the tool includes both active and inactive logs that were operational when I initially developed the tool. I've attached a text file containing the complete list of monitored logs for your reference.

Cheers,
Pierre
You received this message because you are subscribed to a topic in the Google Groups "certificate-transparency" group.
To unsubscribe from this group and all its topics, send an email to certificate-transp...@googlegroups.com.

logs.txt

Bas Westerbaan

unread,
Sep 4, 2024, 9:21:50 AM9/4/24
to certificate-...@googlegroups.com
I'm referring to this new CT monitor API that is being experimented with: https://groups.google.com/a/chromium.org/g/ct-policy/c/v9JzlbphYBs/m/kyQk4ZP6AAAJ

Pierre Barre

unread,
Sep 4, 2024, 9:31:54 AM9/4/24
to certificate-transparency

Thank you for the clarification, Bas.

The tool currently only has CT v1 implemented. I've been following updates about this from afar, but adding support for this is certainly something I'll add to my to-do list.

Pierre Barre

unread,
Sep 14, 2024, 9:00:44 AM9/14/24
to certificate-transparency
Hi, 

To give an update, I added support for displaying certificates. 

Searching for a name now allows to display a "subtable" when clicking the "+" button. 

Clicking on a fingerprint itself shows the certificate details.


Kind regards,
Pierre
Screenshot 2024-09-14 at 14.59.13.png

Andrew C Aitchison

unread,
Sep 15, 2024, 5:09:38 AM9/15/24
to certificate-transparency
On Sat, 14 Sep 2024, Pierre Barre wrote:

> Hi,
>
> To give an update, I added support for displaying certificates.
>
> Searching for a name now allows to display a "subtable" when clicking the
> "+" button.
>
> Clicking on a fingerprint itself shows the certificate details.
>
> Eg. https://www.merklemap.com/certificates/7bdd95488fbc50334e108dfa9cd8d579193f5d4c578ae3a6e3f74bd59f3b2b7c

Thanks.

It might be useful to sort certificates by issuer
(perhaps even before host).
I do however realize that that could increase server load.

--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk

Pierre Barre

unread,
Sep 15, 2024, 5:19:35 AM9/15/24
to Andrew C Aitchison, certificate-transparency
That's the tricky part for sure!

I'm running on bare minimum resources right now and doing some pretty wild stuff just to make search work at all. Basically, I need more RAM (only rocking 128GB at the moment, would be confortable with 700GB-1TB) which should be doable. Once I've got that sorted, I'll be able to tackle things like sorting the "main" search table.

It's a bit of a juggling act, but we'll get there! Appreciate your patience while I MacGyver this thing together.

Cheers,
Pierre
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "certificate-transparency" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/certificate-transparency/JVUwADOaLt4/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> certificate-transp...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/certificate-transparency/3dbb60df-26c6-848b-c563-1189ec557472%40aitchison.me.uk.

Pierre Barre

unread,
Dec 10, 2024, 5:31:15 PM12/10/24
to certificate-transparency

Hi everyone,

I'm excited to share a new feature I've implemented: distance search for detecting potential typosquatting domains. This tool helps organizations proactively identify domains that might be attempting to mimic legitimate brand names and websites.

What is it?

  • A search system that finds domains with similar spellings to legitimate domains
  • Helps detect potential phishing or brand impersonation attempts
  • Uses string distance algorithms to identify variations

Here are some example searches you can try:

I'd love to hear your feedback.

Best regards, 

Pierre

Pierre Barre

unread,
Feb 27, 2025, 5:04:37 PMFeb 27
to certificate-transparency
Hi everyone,

We've added some live statistics on our landing page to showcase how much our ingest pipeline is processing at https://www.merklemap.com/ below the search box.

Screenshot 2025-02-27 at 23.00.44.png
The current processing rates are higher than the current issuing rates as we still have some backlog to process from older logs.
Our end goal is to build something similar to Cloudflare's Merkle Town (https://ct.cloudflare.com/), but more "live".

Hope you'll find this interesting!

Best,
Pierre
Reply all
Reply to author
Forward
0 new messages