codemicro/website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Typo fixing (thank you Ellie!)

Browse source
This commit is contained in:
akp 2025-06-13 14:19:41 +01:00
parent d9e3c488f2
commit eb53274c89
1 changed files with 5 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

10
site/blog/certificate-transparency/content.md
View file

@ -24,11 +24,11 @@ CT logs can be operated by anybody - notable ones are run by Google, Cloudflare
# But why?
The need for CT logs was highlighted by the [2011 hacking of DigiNotar](https://en.wikipedia.org/wiki/DigiNotar). Attackers gained access to their certificate issuance infrastructure and issued over 500 fraudualent certificates that were then used to perform man-in-the-middle attacks on various targets in Iran. Domains included were the likes of Google, Yahoo, Mozilla and the Tor Project.
The need for CT logs was highlighted by the [2011 hacking of DigiNotar](https://en.wikipedia.org/wiki/DigiNotar). Attackers gained access to their certificate issuance infrastructure and issued over 500 fraudulent certificates that were then used to perform man-in-the-middle attacks on various targets in Iran. Domains included were the likes of Google, Yahoo, Mozilla and the Tor Project.
Concerningly, DigiNotar also had a part to play in the issuance of certificates for the Dutch Government, and while it's not thought that they were targeted, their certificate issuance chain was also compromised.
Knowledge of the hacking only came to light 6 weeks after the actual incident occurred, despite DigiNotar themselves having knowing about it only 9 days afterwards. The eventual impact was that DigiNotar was distrusted as a CA entirely, but the incident also highlighted a need for transparency from CAs that did not exist at that time.
Knowledge of the hacking only came to light 6 weeks after the actual incident occurred, despite DigiNotar themselves knowing about it only 9 days afterwards. The eventual impact was that DigiNotar was distrusted as a CA entirely, but the incident also highlighted a need for transparency from CAs that did not exist at that time.
The first CT logs were launched in March and September 2013. Since then, the number of logs in operation grew and ultimately have proven their worth as they've been used to show that multiple CAs were issuing bad certificates - all of which ended up being distrusted.
@ -42,7 +42,7 @@ The core data structure behind CT logs is called a [Merkle tree](https://en.wiki
You also have access to use operators like `OR` to search across multiple domains at once, and using [the advanced search panel](https://crt.sh/?a=1) gives you the ability to tweak many more search parameters.
Detailed breakdowns of each certificate that is listed in any results are also available - for example, [here's the page for the certificate that this site was using at the time of publication](https://crt.sh/?id=11905901614). There you can see which CT logs the information was sourced from, a breakdown of the revocation status of the cert and the current validitidy, as well as the raw contents.
Detailed breakdowns of each certificate that is listed in any results are also available - for example, [here's the page for the certificate that this site was using at the time of publication](https://crt.sh/?id=11905901614). There you can see which CT logs the information was sourced from, a breakdown of the revocation status of the cert and the current validity, as well as the raw contents.
crt.sh *also* allows you to access the results of search queries using a handy dandy Atom feed - in these feeds, you get a short summary of the certificate and a PEM-encoded copy of it.
@ -62,7 +62,7 @@ crt.sh *also* allows you to access the results of search queries using a handy d
While there exist plenty of commercial solutions to monitor certificate logs for your domains, these cost (sometimes lots of) money and I am a student. I will be building my own.
It's quite simple to build a something that polls crt.sh's Atom feed every hour and checks the result against a database of known certificates. When new certificates are detected, they're parsed, recorded in the database and an email is sent listing some details about the certificate. I also threw together a quick web page to show off the contents of the database.[^5] Every now and then, a cleanup job runs to remove expired certificates which are always ignored during certificate ingest.
It's quite simple to build something that polls crt.sh's Atom feed every hour and checks the result against a database of known certificates. When new certificates are detected, they're parsed, recorded in the database and an email is sent listing some details about the certificate. I also threw together a quick web page to show off the contents of the database.[^5] Every now and then, a cleanup job runs to remove expired certificates which are always ignored during certificate ingest.
![A redacted screenshot of my certificate monitor site](certificatemonitor.png)
@ -105,7 +105,7 @@ My little certificate monitor is now online and puttering away as expected. Whil
[^1]: The exact rules for this are dependent on the duration of the certificate - longer-living certificates need entering into more logs. [Documentation about what Google Chrome requires can be found here.](https://googlechrome.github.io/CertificateTransparency/ct_policy.html)
[^2]: A list of currently accepted logs can be found here: [https://googlechrome.github.io/CertificateTransparency/log_list.html](https://googlechrome.github.io/CertificateTransparency/log_list.html)
[^3]: Eg: [https://sapling.ct.letsencrypt.org/2024h2/ct/v1/get-roots](https://sapling.ct.letsencrypt.org/2024h2/ct/v1/get-roots)
[^4]: Of course, this is far from infalliable - if you read your data out of this instead of directly reading CT logs, you're of course going to have to put 100% trust in crt.sh. For me, that's okay, but it might not be for you and that's also okay.
[^4]: Of course, this is far from infallable - if you read your data out of this instead of directly reading CT logs, you're of course going to have to put 100% trust in crt.sh. For me, that's okay, but it might not be for you and that's also okay.
[^5]: This was built with the [GOV.UK Design System](https://design-system.service.gov.uk/), which is the open source web framework created by the Government Digital Service. I hadn't used this before, and I hope to write about the experience of using it as a non-government being soon, but the TL;DR is that it was very useful.
[^6]: If you take a look at a certificate detail view inside of Firefox, you can see a list of SCTs included in it at the bottom of the page - one for each CT log that it was entered into.
[^7]: It also doesn't matter if the full certificate is never submitted to a CT log despite being issued because the record of that precertificate is still going to be there.