Update README
This commit is contained in:
Andrew Ayer
parent
30d171343a
commit
764f3285cd
52
README
52
README
|
|
@ -11,18 +11,18 @@ to sign up.
|
||||||
|
|
||||||
You can use Cert Spotter to detect:
|
You can use Cert Spotter to detect:
|
||||||
|
|
||||||
|
* Certificates issued to attackers who have compromised your DNS and
|
||||||
|
are redirecting your visitors to their malicious site.
|
||||||
|
|
||||||
|
* Certificates issued to attackers who have taken over an abandonned
|
||||||
|
sub-domain in order to serve malware under your name.
|
||||||
|
|
||||||
* Certificates issued to attackers who have compromised a certificate
|
* Certificates issued to attackers who have compromised a certificate
|
||||||
authority and want to impersonate your site.
|
authority and want to impersonate your site.
|
||||||
|
|
||||||
* Certificates issued to attackers who are using your infrastructure
|
|
||||||
to serve malware.
|
|
||||||
|
|
||||||
* Certificates issued in violation of your corporate policy
|
* Certificates issued in violation of your corporate policy
|
||||||
or outside of your centralized certificate procurement process.
|
or outside of your centralized certificate procurement process.
|
||||||
|
|
||||||
* Certificates issued to your infrastructure providers without your
|
|
||||||
consent.
|
|
||||||
|
|
||||||
|
|
||||||
USING CERT SPOTTER
|
USING CERT SPOTTER
|
||||||
|
|
||||||
|
|
@ -42,22 +42,36 @@ Cert Spotter requires Go version 1.5 or higher.
|
||||||
name with a dot (e.g. ".example.com"). To monitor a single DNS name
|
name with a dot (e.g. ".example.com"). To monitor a single DNS name
|
||||||
only, do not prefix the name with a dot.
|
only, do not prefix the name with a dot.
|
||||||
|
|
||||||
3. Create a cron job to periodically run:
|
3. Create a cron job to periodically run `certspotter`. See below for
|
||||||
|
command line options.
|
||||||
|
|
||||||
certspotter
|
Every time you run Cert Spotter, it scans all browser-recognized
|
||||||
|
Certificate Transparency logs for certificates matching domains on
|
||||||
|
your watch list. When Cert Spotter detects a matching certificate, it
|
||||||
|
writes a report to standard out, which the Cron daemon emails to you.
|
||||||
|
Make sure you are able to receive emails sent by Cron.
|
||||||
|
|
||||||
When Cert Spotter detects a certificate for a name on your watchlist,
|
Cert Spotter also saves a copy of matching certificates in
|
||||||
it writes a report to standard out, which the Cron daemon emails
|
~/.certspotter/certs (unless you specify the -no_save option).
|
||||||
to you. Make sure you are able to receive emails sent by Cron.
|
|
||||||
|
|
||||||
Cert Spotter also saves a copy of matching certificates in
|
When Cert Spotter has previously monitored a log, it scans the log
|
||||||
~/.certspotter/certs.
|
from the previous position, to avoid downloading the same log entry
|
||||||
|
more than once. (To override this behavior and scan all logs from the
|
||||||
|
beginning, specify the -all_time option.)
|
||||||
|
|
||||||
|
When Cert Spotter has not previously monitored a log, it can either start
|
||||||
|
monitoring the log from the beginning, or seek to the end of the log and
|
||||||
|
start monitoring from there. Monitoring from the beginning guarantees
|
||||||
|
detection of all certificates, but requires downloading hundreds of
|
||||||
|
millions of certificates, which takes days. The default behavior is to
|
||||||
|
monitor from the beginning. To start monitoring new logs from the end,
|
||||||
|
specify the -start_at_end option.
|
||||||
|
|
||||||
You can add and remove domains on your watchlist at any time. However,
|
You can add and remove domains on your watchlist at any time. However,
|
||||||
the certspotter command only notifies you of certificates that were
|
the certspotter command only notifies you of certificates that were
|
||||||
logged since adding a domain to the watchlist, unless you specify the
|
logged since adding a domain to the watchlist, unless you specify the
|
||||||
-all_time option, which requires scanning the entirety of every log
|
-all_time option, which requires scanning the entirety of every log
|
||||||
and takes several hours to complete with a fast Internet connection.
|
and takes many days to complete with a fast Internet connection.
|
||||||
To examine preexisting certificates, it's better to use the Cert
|
To examine preexisting certificates, it's better to use the Cert
|
||||||
Spotter service <https://sslmate.com/certspotter>, the Cert Spotter
|
Spotter service <https://sslmate.com/certspotter>, the Cert Spotter
|
||||||
API <https://sslmate.com/certspotter/api>, or a CT search engine such
|
API <https://sslmate.com/certspotter/api>, or a CT search engine such
|
||||||
|
|
@ -71,10 +85,14 @@ COMMAND LINE FLAGS
|
||||||
above (use - to read from stdin). Default: ~/.certspotter/watchlist
|
above (use - to read from stdin). Default: ~/.certspotter/watchlist
|
||||||
-no_save
|
-no_save
|
||||||
Do not save a copy of matching certificates.
|
Do not save a copy of matching certificates.
|
||||||
|
-start_at_end
|
||||||
|
Start monitoring logs from the end, rather than the beginning.
|
||||||
|
This significantly reduces the time to run Cert Spotter, but
|
||||||
|
you will miss certificates that were added to a log before Cert
|
||||||
|
Spotter started monitoring it.
|
||||||
-all_time
|
-all_time
|
||||||
Scan for certificates from all time, not just those added since
|
Scan for certificates from all time, not just those logged since
|
||||||
the last run of Cert Spotter. Unless this option is specified,
|
the previous run of Cert Spotter.
|
||||||
no certificates are scanned the first time Cert Spotter is run.
|
|
||||||
-logs FILENAME
|
-logs FILENAME
|
||||||
JSON file containing logs to scan, in the format documented at
|
JSON file containing logs to scan, in the format documented at
|
||||||
<https://www.certificate-transparency.org/known-logs>.
|
<https://www.certificate-transparency.org/known-logs>.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue