Encryption is one of the safest forms of securing data; yet academics recently found a vulnerability that allowed attackers to
Mozilla has recently released its browser version Firefox 65 that brings enhanced content blocking. With the upcoming Firefox 66, it
How many times have you stumbled on the SSL certificate, and the only things that you cared about were Common Name (CN), DNS Names, Dates (issue and expiry)? Do you know SSL certificate can speak so much about you/ your firm? It can tell stories and motives; you can gather a good intelligence from them - which companies are hosting new domains, sub-domains; did they just revoke the last certificate? Or, why some firm switched its vendors/ CA(s)? We all have read that SSL certificates have always been the talk of the town for their inherent strength but weak issuance process, i.e. the chain of command relying on the Certificate Authorities, (aka the business firms) but haven't played with them in real-time. There are search engines available but none of them as comprehensive, fast and free as CertDB
There have been quite a few attacks and hacks where Certificate Authorities were targeted by hacking groups or even involved directly. Even though the vast initiatives by browsers and firms to regularly monitor SSL certificates, improve browser behaviours for awareness and revoke the bad ones has been highly appreciated, the pentesters often don't find much during the comprehensive assessment. Recently, there has been an uproar on the business interests of CA(s) with the issuance, so much so that some are being tagged as bad and untrusted CA for not doing job well. Companies are moving aggressively to HTTPS especially with the recent introduction of LetsEncrypt Wildcard Certificates. But we haven't seen the use of all this information on a common platform to further analyse the certificates and assess their digital SSL footprint and gather valuable intelligence.
This is where CertDB steps in. A great project maintained by smart people and FREE forever for the public. I spent last few weeks accessing their services, and the platform and my short verdict says - It is great! It does have some quirks, but highly recommended!
The crt.sh and CertDB serve different objectives. while crt.sh gets the data from certificate transparency (CT) logging system where "legit" CA submit the certs in "real time"; CertDB is based on the scanning the IPv4 segment, domains and "finding & analyzing" certificates - good or bad.
CertDB can also find self-signed certificates, which crt.sh can not. Hence, CertDB can give a realistic view of HTTPS - which IP is using what certs, self-signed, invalid CA etc; while crt.sh shows the "good" law-abiding view, per say.
What is CertDB?
CertDB is an Internet search engine for SSL certificates. In simple terms, it parses the certificate and then makes different fields indexable for the user to execute search queries. It indexes the following common information,
|Subject||Country, State, Category, Serial Number, Locality, Organization, Common Name|
|Issuer||Country, State, Locality, Organization, Common Name|
|Others||Public Key IP Address related to the domain, Validity Dates|
|Fingerprint||SHA1, SHA256 and MD5|
|Extensions||Usage, Subject Key ID, Authority Key ID, ALT Names, Certificate Policies|
Now once you have extracted these fields, you can query and generate intelligence around it. You have these fields available with a logical query, and can be clubbed together to make complex queries. CertDB also provides raw certificates, public key and json formatted certificate information available for download. Recently they have integrated Alexa Ranking with the domains/ IP addresses and all of this information has been filtered and is available as lists - top domains, top organizations, top countries, top issuers etc.
One such exciting list is "expiring certificates" where you can find the list of Domains/ Organizations whose certificates are about to expire. This kind of information can be convenient while auditing or assessing the firm's digital footprint.
While the documentation says the CertDB continuously scans every reachable web-server, on the Internet; the lab tests are not conclusive. I have asked the team to clarify and shall publish the response as part of the interview once I have a confirmed reply. But, it's appreciable that once their scanner detects the certificate, the information is available for the public to perform the required analysis in near real-time.
While we have all the information extracted from the digital certificates, we have to filter the results to get the required information via GUI or API. The GUI is open to all and can be used to do such queries with search-box, but to use the API one has to register an account.
You can register at https://certdb.com/signup, and an API key shall be allotted to you to perform 1000 queries a day with maximum 1000 results per query.
|api_key||<get your key post registration>|
|q||Any query (just like in search interface)|
|response_type||0 — JSON list of the dictionary with found certificates with all details
1 — JSON list of found certificates in base64
2 — JSON list of distinct organizations from found certificates
3 — JSON list of distinct domains from found certificates
It takes 30 seconds to register and receive the API Key. Here are few examples of querying the right information,
- Search for Issuer "Godaddy" issued certificate for an "Italian region" domain/company.
- Certificates issued to a subnet or IP range (example: Amazon Global IP Range: 184.108.40.206/15)
,with newline and only list first 10 results
tr , '\n' | head -10
- Expiring in next ten days.
- Expiring certificates in next seven days for Netflix organization
expiring:"7 days" organization:"Netflix"
- New Certificates in last five days for Safeway Insurance Company (via API)
new:"5 days" organization:"Safeway Insurance Company"
There can be many such cases where you would like to know the certificates issued to a firm in the past; or if the firm recently got a new domain/ sub-domain and looking for a new business line. I could think of the following interesting cases if I am doing an assessment,
- Dork all the subdomains;
site:example.comand then start negating in a loop as per the first result.
site:example.com -www -test. Or, use a threat intel tool to gather the sub-domains and validate if they all have SSL certificates. Manually check, and report if some domains are not on HTTPS (Refer: Google will be hard on you if you are not on HTTPS!)
- If you are technically assessing a company, do check their domains names and Organization.
q="organization:"Example Inc."and you will be surprised to see sometimes firms are not aware of the domains on their name, or certificate issued by them but not renewed on time.
While the service is great, there are few issues as well which the team is working on,
- The errors are not customized. If the API queries are wrong; it dumps a lot of debug data which must be removed.
- The API key cannot be re-generated or revoked. You may have to contact CertDB support to revoke it.
- The API Key can be used in a
GETrequest. It is not recommended as it can be cached at many hops (example: proxy)
- The documentation is not comprehensive, and probably more detailed information is needed when using API calls.
- The site doesn't provide an example of API interaction. In my opinion, CertDB should write a page with few examples using Python, CURL, Ruby, Perl and other common languages including
jsonparsing of the results.
It's been few weeks since I am using this service, and my frank opinion is it has great potential and use. I am using this service while assessing AWS instances, and Fortune 500 firms. I have also found some expiring certificates for the clients and informed them in due course of time. I would highly recommend you to have a look and register an account. You can also set a
cron job to check the dates/ digital SSL footprint of an organization.
Next Steps: I shall soon be publishing an interview with their team asking for more details on the roadmap, competition, and improvements.
Cover Image Credit: Photo by Rubén Bagüés
Recently I noticed a new service/ project that is turning few heads among my peers in security community - CertDB. A one of its kind which indexes the domains SSL certs with their details, IP records, geo-location and timelines, common-name etc. They term themselves as Internet-wide search engine for digital certificates. They have a unique business statement when you get to understand the different components (search vectors) they are incorporating in this project. I know there are few transparent cert registries like Certificate Search but as per their website,
Examining the data hidden in digital certificates provides a lot of insight about business activity in a particular geography or even collaboration between 2 different companies.
I know and agree with them on these insights that they do come handy while performing reconnaissance during a security assessment (OR) validating the SSL/ TLS certificates for your client. It does reflect on the fact that maybe the certificate is about to expire, or new domains have been registered in the same certificate (example, Subject Alternate Name: DNS Name). But when I browsed through their project website, I was surprised the way they articulated their USP (unique selling point),
For example, the registration of a new unknown domain in Palo Alto hints at a new start-up; switching from the "Wildcard" certificate to "Let's Encrypt" tells us about the organization's budget constraints; issuing a certificate in an organization with domains of another organization speaks about collaboration between companies, or even at an acquisition of one company by another.
Now, I am intrigued to do a detailed article on their services, business model, filters and even an interview with their project team.
Question: Are you curious/interested, and what would you like to ask them? Do leave a comment.
Similarly, if you are using "HTTPS Decrypt & Inspect" in Smoothwall, your clients' browsers will afforded some protection from attack, as their traffic will be re-encrypted by the web filter, which does not support downgrading to these "Export Grade" ciphers.
Heartbleed: the bug that keeps on giving
Reports suggest that the Heartbleed vulnerability was involved in a breach of over 4 million records from a health provider in the US — we won't see many of these, as identifying the culprit as Heartbleed is really difficult in most cases. That instances like this are still cropping up reminds us of the need to ensure we're patched, and not just in the obvious places like a web server. This time it seems to have been SSL VPN at the heart of the issue, so to speak.
Passwords: why are we still so rubbish at this?
Apparently 51% of people share a password. This is properly daft. Really, crazier than a box of weasels. Even if you trust the other person, there's no telling what accidents might occur, or where they may re-use that password themselves. I always get gyp from my wife that I won't tell her my passwords, but I won't — and believe me, I do pretty much everything else she tells me!
EU "right to be forgotten" rule still here, still a waste of time?!
Internet numptys are still asking Google to remove them from searches in their droves. Happily the BBC is kind enough to reveal who they are by linking us to the relevant articles. When will people realise that once you publish something on the Internet, it is there forever. Unless it's that really useful document you bookmarked last week, which now 404s and was never in the Internet archive. Yes, that one.