Root Causes 216: What is crt.sh?

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We want to talk about something that’s actually very important to the public SSL industry. Most people haven’t heard of it. We do mention it on occasion on this podcast. We are gonna define it, explain what it is and that is crt.sh.

• 

  Jason Soroko

  What you’ve just said is an internet domain which leads you to basically the ability to search CT logs.

• 

  Tim Callan

  Correct. We’ve talked about what CT logs are in an episode not that long ago, a few months ago, but the capsule summary on that is that according to the browser root program’s requirements, whenever you issue an SSL certificate or even what we call a pre-certificate, which is what you’d create before you create the certificate itself, you have to log it in the certificate transparency logs and there’s a number of them available. You need to log in at least two of them and the CT logs are, what they are about is certificate transparency. They are there to provide public information about what certificates are being issued so that any interested party can monitor and understand what the public CAs are doing. And these things are captured in a variety of these CT logs and these logs are maintained and are available for someone to come look at as long as they do it technically correctly and these logs just sit out there in the world where they can be audited by the public.

  But what does that mean? Like how does a member of the public go and audit it? So, you gonna get this log and it’s essentially, let’s call it a database – it’s not a database but for want of a better word, it’s this big giant block of data and you are gonna go through and you are gonna parse it out and you are gonna pull information and somehow make sense of this. How is your average person going to do that? Some years ago, an engineer here at Sectigo named Rob Stradling actually built a tool to do exactly that and the domain is crt.sh. That is the domain that Rob obtained and as a result, that is what the tool is now called and crt.sh is open, it’s available to the public and people can come in and search using a variety of methods and pull out datasets of certificates that meet certain criteria and see what they are. They can be active certificates or certificates that are already revoked or expired and understand what’s going on or what went on in the past with any public CA.

• 

  Jason Soroko

  That’s correct, Tim. If you are a business owner, you have a website, you’ve had SSL certificates issued for that website, this really starts to highlight, Tim, the importance of the CT logs for, hey, are those certificates that have been issued by me or am I seeing certificates that weren’t issued by me and oh my goodness, there’s a problem. This gives you full visibility.

• 

  Tim Callan

  That was kind of the original motivating use case behind CT logs back in the day was people were saying, well, how would I know? If somebody were issuing certificates on spoofy URLs that looked like they were services from my company but they actually weren’t, how am I ever going to know? I don’t own that domain. I’m not the person who requested the cert. The CA might issue the cert in perfect legitimacy. They might say the owner of this domain doesn’t want this cert and they do own the domain and I’m gonna give them the certificate and how would you know? If it was my brand name-support.com and that wasn’t my brand and somebody was cheating and trying to attack me, how would I ever know? If that’s the basis of some social engineering attack and at least in principle a CT log can do that. Now, in practice, they’ve turned out to have more value than that. They were valuable for just understanding what was happening in the industry as a whole. They were valuable for keeping an eye on Certificate Authorities and ensuring that they were doing things properly the way they were supposed to and that wound up being a very heavy use of crt.sh. And one of the things that’s interesting is crt.sh is so foundational to this kind of activity that until very recently the Mozilla root program’s publicly stated guidelines for how to report and comment on bugs in their Bugzilla platform where they talk about bugs with public CAs actually named crt.sh by name as the source to use when reporting on these things. Now very recently that changed to something that says that you may use that or an equivalent source and there other sources that are available now but that was how foundational crt.sh was to this whole process of investigating and understanding and dare I say, policing the activities of public CAs.

• 

  Jason Soroko

  It’s still very, very useful and, in fact, if you go to crt.sh and just key that right into your browser, what you are gonna see is a little search box that allows you to search on a domain name or an organization name, or if you happen to have very specific information about a certificate you want to look at – in other words, the SHA-1 or SHA-256 certificate fingerprint or if you really know your stuff and you happen to have the identification number that crt.sh actually gives the certificate, you can enter in any of those things into that search box and if you click advanced, a whole bunch of other searches become available.

  What I would suggest for everybody, whether you are technical or non-technical, go to your browser, type in crt.sh and just type in a domain that you would like to see what certificates were issued for. It could be yours, it could be somebody else’s, doesn’t matter. Hit search. And what you are gonna see in the initial list is a list of certificates and that first column on the left hand side is going to be that Rob Stradling’s ID for all the certificates – crt.sh ID and that actually comes out always as a clickable item, which then if you click that, that actually gives you very, very similar information to the actual certificate itself, which is, again, similar to what you would see if you were browsing the website using that certificate and had investigated the certificate fields. Therefore, you can go right down to a very detailed level. From a very high level of, hey, show me certificates to a list of domains all the way down to, alright, now I really want to investigate this certificate. I can click on an item in the list and go down even further. This is what the tool does at a very high level and I invite everybody to try it out.

• 

  Tim Callan

  You talked about these certificates. You actually can get down where you are looking at all the information from a specific certificate. You see the field names, what’s in the fields and some other information about it and at that point, those actually you can essentially use that specific URL as a link and so a lot of what happens is people link. Ifthey want to show a specific certificate or set of certificates for some reason – hey, this certificate looks irregular, I want to know what’s going on here or, hey, look at these certificates, they have this quality. They literally just take these links directly from crt.sh and paste them into whatever source they are using and then if you click on these things, you go directly to the details of that specific certificate. And so, that’s one of the things that makes it a very useful tool is that’s one of the ways that people use it is they share their findings by sending around these links.

• 

  Jason Soroko

  One of the reasons why that is so common is because the actual derived URL from clicking on one of the crt.sh IDs is very short. Therefore, it’s very easy to copy and paste. It’s very human readable. It’s very understandable and so therefore, everybody knows what you are talking about when you paste over a crt.sh ID fully formed URL that you are able to click on and get right to the crt.sh report for that specific certificate. It’s a great way for everybody to get on the same page quickly.

• 

  Tim Callan

  It is kind of a one of these foundational things of public SSL and, one of these sort of defacto standards. We have a lot of these things. I think we may have discussed Bugzilla in the past, which is another one where in theory, this is just one tool and someone else could make a tool and, like I said, there are other tools that rival it, but this is just the one people use, people know. There’s a good reason for that. It’s very well made and very useful and it’s just become the go-to place for finding and reporting on certificates – public certificates.

• 

  Jason Soroko

  It’s optimized. It really, really is optimized at the data level for searching at the domain or at the certificate level. Other types of CT log searches require something different and therefore there are other tools that you have to build for that but for a lot of - - certainly what the intent and purpose of CT logs are for, this is an important resource.

• 

  Tim Callan

  So, anyway, just wanted to do it. We have referenced it in the past. We definitely will reference it again and if you heard that word and said I have no idea what these guys are talking about, hopefully we’ve cleared that up.