Today, we are happy to publicly
the ICSI Certificate Notary. This service
provides near real-time reputation information on a large number of TLS/SSL
certificates seen in the wild, collected continuously by Bro at several partner
network sites. The notary’s data includes the time when a certificate was first
and last seen, and whether we can establish a valid chain to a root certificate
from the Mozilla root store.
You can use the service by sending a DNS request for an A or TXT record to:


The token <sha1> represents the SHA1 digest of the certificate
to query. For A record queries, the result comes back either as the address to indicate that our data providers have seen the certificate, as if we could recently validate the certificate against the Mozilla
root store, or NXDOMAIN if we have not seen the certificate. For TXT
record queries, the notary returns key-value pairs with more details. Here is
an example lookup:

dig +short txt
"version=1 first_seen=15387 last_seen=15646 times_seen=260 validated=1"

Incidentally, Vlad Grigorescu
taught Bro how to handle DNS TXT records, which now opens new possibilities in
terms of real-time certificate analysis. If you do not remember how to perform
DNS lookups from a Bro script, here is an example:

Vlad’s additions now also enable TXT queries via the function
lookup_hostname_txt. The snippet below asks our notary for details of
certificate in the network traffic:

Please let us know if you have questions, find problems, or have feature

%d bloggers like this: