Today, we are happy to publicly
announce
the ICSI Certificate Notary. This service
provides near real-time reputation information on a large number of TLS/SSL
certificates seen in the wild, collected continuously by Bro at several partner
network sites. The notary’s data includes the time when a certificate was first
and last seen, and whether we can establish a valid chain to a root certificate
from the Mozilla root store.
You can use the service by sending a DNS request for an A or TXT record to:
<sha1>.notary.icsi.berkeley.edu
The token <sha1> represents the SHA1 digest of the certificate
to query. For A record queries, the result comes back either as the address
127.0.0.1 to indicate that our data providers have seen the certificate, as
127.0.0.2 if we could recently validate the certificate against the Mozilla
root store, or NXDOMAIN if we have not seen the certificate. For TXT
record queries, the notary returns key-value pairs with more details. Here is
an example lookup:
dig +short txt C1956DC8A7DFB2A5A56934DA09778E3A11023358.all.notary.icsi.berkeley.edu
"version=1 first_seen=15387 last_seen=15646 times_seen=260 validated=1"
Incidentally, Vlad Grigorescu
recently
taught Bro how to handle DNS TXT records, which now opens new possibilities in
terms of real-time certificate analysis. If you do not remember how to perform
DNS lookups from a Bro script, here is an example:
Vlad’s additions now also enable TXT queries via the function
lookup_hostname_txt. The snippet below asks our notary for details of
each
certificate in the network traffic:
Please let us know if you have questions, find problems, or have feature
requests.