A possible bug in crt.sh.

[Aozhuo]

Hey!

 

When I recently searched for the relevant certificates of “taobao.com”, I found that crt.sh missed some of them.

When searching I excluded expired certificates and deduplicated (pre)certificate pairs. In the end, 80 certificates were obtained (this obviously did not reach the upper limit of the number of returned certificates), and the latest one was issued on September 7, 2021, and its crt.sh ID is 5175590179.

But we still know some newer certificates (about 140), e.g.:

263790cc608b4b41f3dd7857cd9a72e22c6109f33fe09b01d47278176da566b5,

b6c63917d1d2057bfffc344b76ee41be21b0583ef64cef8d2a7c50c82fe37241,

901a75ca5c94f8f6598e3e0eeaf8b3fc7854234f16f95cb6620b4909fdae1326,

………

 

These certificates can be searched by crt.sh via SHA256-Fingerprint, which means they are correctly obtained and stored.

I don't know if I made a mistake in querying or if there is a problem with crt.sh searching. If it is a problem with crt.sh search, it may not only be a single value for the domain “taobao.com”.

 

Thanks,

Aozhuo

[r...@sectigo.com]

Hi Aozhuo.  This is a long-standing issue, for which I'm afraid I still don't have a solution.  See https://groups.google.com/g/crtsh/c/PJBu5cvm0G8/m/iCIy0vBPAwAJ

[Aozhuo]

Thanks!

But I still wanted to confirm.

The problem mentioned in  https://groups.google.com/g/crtsh/c/PJBu5cvm0G8/m/iCIy0vBPAwAJ  is for domains with a large number of certificates such as "microsoft.com", "amazon.com"," att.com" and "google.com". But “taobao.com” only has less than 300 unexpired certificates, which doesn't seem to lead to a long-running query and apparently doesn't hit the 10,000 output limit, are they the same issue?

[r...@sectigo.com]

Try going to the "Advanced..." options (https://crt.sh/?a=1), ticking the "Exclude expired certificates?" checkbox, and then performing an "IDENTITY" search for "taobao.com".  With this checkbox ticked, expired certificates are filtered out before the 10,000 row limit is imposed.  To get more information on how crt.sh is performing your search, you can also tick the "Show SQL?" checkbox.

[Aozhuo]

Hello, I used exactly the search method you mentioned. Specifically, I checked " Exclude expired certificates?" and " Deduplicate (pre)certificate pairs?", see attached image.

We have also attached a screenshot of the search results, you can see that the latest certificate was issued on September 7, 2021 (the results are the same as we described earlier).